Skip to content

Commit eeebf0f

Browse files
desbma-s1nyadij
authored andcommitted
Fix auth digest refcount integer overflow (#585)
This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice.
1 parent f163223 commit eeebf0f

File tree

2 files changed

+2
-16
lines changed

2 files changed

+2
-16
lines changed

Diff for: src/auth/digest/Config.cc

+1-15
Original file line numberDiff line numberDiff line change
@@ -94,9 +94,6 @@ static void authenticateDigestNonceDelete(digest_nonce_h * nonce);
9494
static void authenticateDigestNonceSetup(void);
9595
static void authDigestNonceEncode(digest_nonce_h * nonce);
9696
static void authDigestNonceLink(digest_nonce_h * nonce);
97-
#if NOT_USED
98-
static int authDigestNonceLinks(digest_nonce_h * nonce);
99-
#endif
10097
static void authDigestNonceUserUnlink(digest_nonce_h * nonce);
10198

10299
static void
@@ -289,21 +286,10 @@ authDigestNonceLink(digest_nonce_h * nonce)
289286
{
290287
assert(nonce != NULL);
291288
++nonce->references;
289+
assert(nonce->references != 0); // no overflows
292290
debugs(29, 9, "nonce '" << nonce << "' now at '" << nonce->references << "'.");
293291
}
294292

295-
#if NOT_USED
296-
static int
297-
authDigestNonceLinks(digest_nonce_h * nonce)
298-
{
299-
if (!nonce)
300-
return -1;
301-
302-
return nonce->references;
303-
}
304-
305-
#endif
306-
307293
void
308294
authDigestNonceUnlink(digest_nonce_h * nonce)
309295
{

Diff for: src/auth/digest/Config.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ struct _digest_nonce_h : public hash_link {
4242
/* number of uses we've seen of this nonce */
4343
unsigned long nc;
4444
/* reference count */
45-
short references;
45+
uint64_t references;
4646
/* the auth_user this nonce has been tied to */
4747
Auth::Digest::User *user;
4848
/* has this nonce been invalidated ? */

0 commit comments

Comments
 (0)