Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix minor severity heap buffer overflow reading --auth-file #806

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Fix minor severity heap buffer overflow reading --auth-file
Fixes #805

Allocate an extra byte for reading the last entry when there is no `\n` at
the end of the file.

Also, check if the user contains null bytes when reading the last entry.

Unrelatedly, add handling in case the auth file size changes while it is being read.
  • Loading branch information
TysonAndre committed Jul 22, 2021
commit 264722ae4e248b453be00e97197dadc685b60fd0
22 changes: 14 additions & 8 deletions authfile.c
Expand Up @@ -41,23 +41,29 @@ enum authfile_ret authfile_load(const char *file) {
return AUTHFILE_STATFAIL;
}

auth_data = calloc(1, sb.st_size);
auth_data = calloc(1, sb.st_size + 1);

char *auth_cur = auth_data;
char *auth_end = auth_data + sb.st_size;
auth_t *entry_cur = auth_entries;
int used = 0;

while ((fgets(auth_cur, MAX_ENTRY_LEN, pwfile)) != NULL) {
while ((fgets(auth_cur, auth_end - auth_cur < MAX_ENTRY_LEN ? auth_end - auth_cur : MAX_ENTRY_LEN, pwfile)) != NULL) {
int x;
int found = 0;

for (x = 0; x < MAX_ENTRY_LEN; x++) {
if (!found && auth_cur[x] == ':') {
entry_cur->user = auth_cur;
entry_cur->ulen = x;
entry_cur->pass = &auth_cur[x+1];
found = 1;
} else if (found) {
if (!found) {
if (auth_cur[x] == '\0') {
// The username is malformed - this is either the end of the file or a null byte.
break;
} else if (auth_cur[x] == ':') {
entry_cur->user = auth_cur;
entry_cur->ulen = x;
entry_cur->pass = &auth_cur[x+1];
found = 1;
}
} else {
// Find end of password.
if (auth_cur[x] == '\n' ||
auth_cur[x] == '\r' ||
Expand Down