From: Alexander Sosedkin Date: Mon, 27 Apr 2026 15:16:25 +0000 (+0200) Subject: lib/auth/psk_passwd: limit the length of the comparison X-Git-Tag: 3.8.13^2~63 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=b10ac69270cd5ab4353efa62b92d9e04a5fec464;p=thirdparty%2Fgnutls.git lib/auth/psk_passwd: limit the length of the comparison Comparing a long username from a password file to a short username from the wire could lead to a heap overread up to the difference in their lengths. Fixes: #1864 Reported-by: Joshua Rogers of AISLE Research Team Signed-off-by: Alexander Sosedkin --- diff --git a/lib/auth/psk_passwd.c b/lib/auth/psk_passwd.c index 518756e7d7..abefd0d4ae 100644 --- a/lib/auth/psk_passwd.c +++ b/lib/auth/psk_passwd.c @@ -78,7 +78,7 @@ ATTRIBUTE_NONNULL((1, 2)) static bool username_matches(const gnutls_datum_t *username, const char *line, size_t line_size) { - int retval; + bool retval; unsigned i; gnutls_datum_t hexline, hex_username = { NULL, 0 }; @@ -91,7 +91,7 @@ static bool username_matches(const gnutls_datum_t *username, const char *line, return false; if (line_size == 0) - return (username->size == 0); + return false; /* move to first ':' */ i = 0; @@ -99,6 +99,9 @@ static bool username_matches(const gnutls_datum_t *username, const char *line, i++; } + if (line[i] != ':') + return false; + /* if format is in hex, e.g. #FAFAFA */ if (line[0] == '#' && line_size > 1) { hexline.data = (void *)&line[1]; @@ -107,19 +110,17 @@ static bool username_matches(const gnutls_datum_t *username, const char *line, if (gnutls_hex_decode2(&hexline, &hex_username) < 0) return gnutls_assert_val(0); - if (hex_username.size == username->size) - retval = memcmp(username->data, hex_username.data, - username->size); - else - retval = -1; + retval = hex_username.size == username->size && + memcmp(username->data, hex_username.data, + username->size) == 0; _gnutls_free_datum(&hex_username); } else { - retval = strncmp((const char *)username->data, line, - MAX(i, username->size)); + retval = i == username->size && + strncmp((const char *)username->data, line, i) == 0; } - return (retval == 0); + return retval; } /* Randomizes the given password entry. It actually sets a random password.