New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix auth digest refcount integer overflow #585
Conversation
|
Can one of the admins verify this patch? |
... in busy long-running Squids. An impractical-to-overflow counter is also easier to deal with in code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot of working on this bug! I have committed two adjustments. Please see if you agree with them and revert or adjust further as needed.
If you accept my changes, we will need to adjust the PR description accordingly. That description will become the future commit message (and needs reformatting anyway).
Unlike your initial version, I suspect that my change will increase the nonce structure size a bit, but I do not think that increase is important. If it is important, then the whole structure should be refactored to reduce waste anyway.
|
OK to test |
|
Typically a nonce reference count should not exceed 7 (client HTTP request, server HTTP request, ICAP request, ICAP response, HTTP cache, auth credentials cache, transaction ALE) - plus or minus a few transaction state objects. 2^16 is far larger than this particular counter should ever reach, even assuming the admin sets some reasonably large re-use count for nonce'. I think we would be better served adding overflow checks rather than increasing the limit like this. That can be achieved by converting this struct to a class and adding a RefCount Pointer rather than this ad-hoc reference counting (which is long overdue anyway). If you wish to take that on please do. It is relatively simple work, though time consuming to find all the code lines needing tweaks for the new ref-count API. |
What makes overflow checks superior to a never-overflowing counter?
FWIW, I am not interested in doing that work at this time, but can undo my polishing commits if they are in the way. |
I this case; detection of suspicious activity.
They are not a problem either way. FTR; If none wants to take on the full update I am okay with this going in as-is. |
We have developed a proof of concept internally.
Looks good to me although the 64 bits are probably overkill. To reach such value would require a number of open file descriptors that is simply not possible. |
I have updated the description as requested.
On 64 bits architectures, it should not change the struct layout, as both the field before and after are already 64bits wide. |
IMO, comparable detection is possible and, in fact, is easier to do correctly (as well as report more useful details) when there are no overflows.
Clearly, the possible range of this particular counter is rather uncertain/mysterious. Unless there is a provable certainty that this counter cannot exceed the number of file descriptors, even in the presence of transaction leaks and other "minor" bugs in the surrounding code, I think it is best to go with a 64-bit counter that cannot overflow even under those special circumstances. Fewer things to worry about... With Amos' blessing, I am clearing this PR for merging. If automated tests pass, the PR will be auto-merged in a few days. @desbma-s1n, thanks again for working on this bug! |
This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice.
This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice.
This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice.
This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice.
This fixes a possible overflow of the nonce reference counter in the digest authentication scheme, found by security researchers @synacktiv. It changes `references` to be an 64 bits unsigned integer. This makes overflowing the counter impossible in practice.
This fixes a possible overflow of the nonce reference counter in the
digest authentication scheme, found by security researchers
@synacktiv.
It changes
referencesto be an 64 bits unsigned integer. This makesoverflowing the counter impossible in practice.