Re: (ITS#7851) [PATCH] buffer overrun in password checkers with malformed hash - openldap-bugs

26 Jun 2014

This is a multi-part message in MIME format.
--------------070104060109070008020807
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
I checked the new pw-pbkdf2 module. It doesn't appear to be affected by 
this problem.
On 11/05/14 07:56 PM, Ryan Tandy wrote:
...
ftp://ftp.openldap.org/incoming/rtandy_20140511_fix-passwd-b64-buffer_v2.patch
You probably know this, but just in case it helps: "git am --keep-cr" is 
the way to apply that patch, because of apr1.c's line endings.
There's a second bug in slapd-sha2.c, a missing cast causing the return 
value of lutil_b64_pton to be ignored. The built-in checkers already 
have the appropriate cast. Patch attached.
--------------070104060109070008020807
Content-Type: text/x-patch;
 name="0002-ITS-7851-contrib-pw-sha2-fix-int-size_t-comparison.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename*0="0002-ITS-7851-contrib-pw-sha2-fix-int-size_t-comparison.patc";
 filename*1="h"
...
From 0683ded766e51e0521991fc1a5d2303cf95cc475 Mon Sep 17 00:00:00 2001
From: Ryan Tandy ryan@nardis.ca
Date: Thu, 26 Jun 2014 18:33:29 -0700
Subject: [PATCH 2/2] ITS#7851 contrib pw-sha2 fix int/size_t comparison
---
 contrib/slapd-modules/passwd/sha2/slapd-sha2.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
index 1ec7989..2e4fcb0 100644
--- a/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
+++ b/contrib/slapd-modules/passwd/sha2/slapd-sha2.c
@@ -244,7 +244,7 @@ static int chk_ssha256(
rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
-	if( rc <= sizeof(SHAdigest) ) {
+	if( rc <= (int)(sizeof(SHAdigest)) ) {
    	ber_memfree(orig_pass);
    	return LUTIL_PASSWD_ERR;
    }
@@ -332,7 +332,7 @@ static int chk_ssha384(
rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
-	if( rc <= sizeof(SHAdigest) ) {
+	if( rc <= (int)(sizeof(SHAdigest)) ) {
    	ber_memfree(orig_pass);
    	return LUTIL_PASSWD_ERR;
    }
@@ -420,7 +420,7 @@ static int chk_ssha512(
rc = lutil_b64_pton(passwd->bv_val, orig_pass, decode_len);
-	if( rc <= sizeof(SHAdigest) ) {
+	if( rc <= (int)(sizeof(SHAdigest)) ) {
    	ber_memfree(orig_pass);
    	return LUTIL_PASSWD_ERR;
    }
-- 
2.0.0


--------------070104060109070008020807--



    