Fix auth digest refcount integer overflow (#585)

This fixes a possible overflow of the nonce reference counter in the
digest authentication scheme, found by security researchers
@synacktiv.

It changes `references` to be an 64 bits unsigned integer. This makes
overflowing the counter impossible in practice.

diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc
index fdef7dfa95ad50c05d4f6ff3ced5385dc519ffc5..9deb184d72fc0cf50645234a3f53805fe8fee100 100644 (file)
--- a/src/auth/digest/Config.cc
+++ b/src/auth/digest/Config.cc
@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
 static void authenticateDigestNonceSetup(void);
 static void authDigestNonceEncode(digest_nonce_h * nonce);
 static void authDigestNonceLink(digest_nonce_h * nonce);
-#if NOT_USED
-static int authDigestNonceLinks(digest_nonce_h * nonce);
-#endif
 static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
 
 static void
@@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
 {
     assert(nonce != NULL);
     ++nonce->references;
+    assert(nonce->references != 0); // no overflows
     debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
 }
 
-#if NOT_USED
-static int
-authDigestNonceLinks(digest_nonce_h * nonce)
-{
-    if (!nonce)
-        return -1;
-
-    return nonce->references;
-}
-
-#endif
-
 void
 authDigestNonceUnlink(digest_nonce_h * nonce)
 {

diff --git a/src/auth/digest/Config.h b/src/auth/digest/Config.h
index 56ccaa9875b6edf23fb5d2111c6f4143acc58fd5..7fb76739ce2a5dbc4ced83e3ec7ce3f7371969de 100644 (file)
--- a/src/auth/digest/Config.h
+++ b/src/auth/digest/Config.h
@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
     /* number of uses we've seen of this nonce */
     unsigned long nc;
     /* reference count */
-    short references;
+    uint64_t references;
     /* the auth_user this nonce has been tied to */
     Auth::Digest::User *user;
     /* has this nonce been invalidated ? */