lib/auth/psk_passwd: limit the length of the comparison

Comparing a long username from a password file
to a short username from the wire
could lead to a heap overread up to the difference in their lengths.

Fixes: #1864
Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

diff --git a/lib/auth/psk_passwd.c b/lib/auth/psk_passwd.c
index 518756e7d7d749cb04988eb45ffab0a5def937f7..abefd0d4aef1e5310284f7ad0732823effd0e31c 100644 (file)
--- a/lib/auth/psk_passwd.c
+++ b/lib/auth/psk_passwd.c
@@ -78,7 +78,7 @@ ATTRIBUTE_NONNULL((1, 2))
 static bool username_matches(const gnutls_datum_t *username, const char *line,
                             size_t line_size)
 {
-       int retval;
+       bool retval;
        unsigned i;
        gnutls_datum_t hexline, hex_username = { NULL, 0 };
 
@@ -91,7 +91,7 @@ static bool username_matches(const gnutls_datum_t *username, const char *line,
                return false;
 
        if (line_size == 0)
-               return (username->size == 0);
+               return false;
 
        /* move to first ':' */
        i = 0;
@@ -99,6 +99,9 @@ static bool username_matches(const gnutls_datum_t *username, const char *line,
                i++;
        }
 
+       if (line[i] != ':')
+               return false;
+
        /* if format is in hex, e.g. #FAFAFA */
        if (line[0] == '#' && line_size > 1) {
                hexline.data = (void *)&line[1];
@@ -107,19 +110,17 @@ static bool username_matches(const gnutls_datum_t *username, const char *line,
                if (gnutls_hex_decode2(&hexline, &hex_username) < 0)
                        return gnutls_assert_val(0);
 
-               if (hex_username.size == username->size)
-                       retval = memcmp(username->data, hex_username.data,
-                                       username->size);
-               else
-                       retval = -1;
+               retval = hex_username.size == username->size &&
+                        memcmp(username->data, hex_username.data,
+                               username->size) == 0;
 
                _gnutls_free_datum(&hex_username);
        } else {
-               retval = strncmp((const char *)username->data, line,
-                                MAX(i, username->size));
+               retval = i == username->size &&
+                        strncmp((const char *)username->data, line, i) == 0;
        }
 
-       return (retval == 0);
+       return retval;
 }
 
 /* Randomizes the given password entry. It actually sets a random password.