Skip to content

Commit

Permalink
Fix stack buffer overflow when parsing Digest Authorization (#1517)
Browse files Browse the repository at this point in the history 
The bug was discovered and detailed by Joshua Rogers at
https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html
where it was filed as "Stack Buffer Overflow in Digest Authentication".
  • Loading branch information
@nonsleepr @yadij
nonsleepr authored and yadij committed Oct 16, 2023
1 parent 6cfa10d commit dc0e10b
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions src/auth/digest/Config.cc
View file
Expand Up @@ -827,11 +827,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request,
break;

case DIGEST_NC:
if (value.size() != 8) {
if (value.size() == 8) {
// for historical reasons, the nc value MUST be exactly 8 bytes
static_assert(sizeof(digest_request->nc) == 8 + 1);
xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
} else {
debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'");
digest_request->nc[0] = 0;
}
xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1);
debugs(29, 9, "Found noncecount '" << digest_request->nc << "'");
break;

case DIGEST_CNONCE:
Expand Down

0 comments on commit dc0e10b

Please sign in to comment.