From: Joshua Rogers Date: Thu, 11 Sep 2025 11:58:52 +0000 (+0000) Subject: digest_edirectory_auth: safely return password (#2197) X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0d9d22206334a424dec2d83f184f71647632fba3;p=thirdparty%2Fsquid.git digest_edirectory_auth: safely return password (#2197) Previously, nmasldap_get_simple_pwd() and nmasldap_get_password() could overrun or return non-terminated strings at length boundaries. This change adds strict bounds checks, copies at most len - 1, and ensures explicit NUL termination, aligning both helpers buffer/length semantics without altering call-site behavior. --- diff --git a/src/auth/digest/eDirectory/edir_ldapext.cc b/src/auth/digest/eDirectory/edir_ldapext.cc index d1680b2293..d0349c6446 100644 --- a/src/auth/digest/eDirectory/edir_ldapext.cc +++ b/src/auth/digest/eDirectory/edir_ldapext.cc @@ -373,9 +373,7 @@ static int nmasldap_get_simple_pwd( err = getLoginConfig(ld, objectDN, methodIDLen, &methodID, tag, &pwdBufLen, pwdBuf); if (err == 0) { - if (pwdBufLen !=0) { - pwdBuf[pwdBufLen] = 0; /* null terminate */ - + if (pwdBufLen > 1) { switch (pwdBuf[0]) { case 1: /* cleartext password */ break; @@ -387,10 +385,10 @@ static int nmasldap_get_simple_pwd( err = LDAP_INAPPROPRIATE_AUTH; /* only return clear text */ break; } - if (!err) { - if (pwdLen >= pwdBufLen-1) { + if (pwdLen >= pwdBufLen) { memcpy(pwd, &pwdBuf[1], pwdBufLen-1); /* skip digest tag and include null */ + pwd[pwdBufLen - 1] = '\0'; } else { err = LDAP_NO_MEMORY; } @@ -462,6 +460,8 @@ static int nmasldap_get_password( if (*pwdSize >= pwdBufLen+1 && pwd != nullptr) { memcpy(pwd, pwdBuf, pwdBufLen); pwd[pwdBufLen] = 0; /* add null termination */ + } else { + err = LDAP_OPERATIONS_ERROR; } *pwdSize = pwdBufLen; /* does not include null termination */ }