Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix auth digest refcount integer overflow (#585)
This fixes a possible overflow of the nonce reference counter in the
digest authentication scheme, found by security researchers
@synacktiv.

It changes `references` to be an 64 bits unsigned integer. This makes
overflowing the counter impossible in practice.
  • Loading branch information
desbma-s1n authored and yadij committed Apr 14, 2020
1 parent f163223 commit eeebf0f
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 16 deletions.
16 changes: 1 addition & 15 deletions src/auth/digest/Config.cc
Expand Up @@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
static void authenticateDigestNonceSetup(void);
static void authDigestNonceEncode(digest_nonce_h * nonce);
static void authDigestNonceLink(digest_nonce_h * nonce);
#if NOT_USED
static int authDigestNonceLinks(digest_nonce_h * nonce);
#endif
static void authDigestNonceUserUnlink(digest_nonce_h * nonce);

static void
Expand Down Expand Up @@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
{
assert(nonce != NULL);
++nonce->references;
assert(nonce->references != 0); // no overflows
debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
}

#if NOT_USED
static int
authDigestNonceLinks(digest_nonce_h * nonce)
{
if (!nonce)
return -1;

return nonce->references;
}

#endif

void
authDigestNonceUnlink(digest_nonce_h * nonce)
{
Expand Down
2 changes: 1 addition & 1 deletion src/auth/digest/Config.h
Expand Up @@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
/* number of uses we've seen of this nonce */
unsigned long nc;
/* reference count */
short references;
uint64_t references;
/* the auth_user this nonce has been tied to */
Auth::Digest::User *user;
/* has this nonce been invalidated ? */
Expand Down

0 comments on commit eeebf0f

Please sign in to comment.