[PATCH] arts/mcop auth cookie generation broken

Malte S. Stretz msquadrat.nospamplease-hi6Y0CQ0nG0 at public.gmane.org
Sat Nov 20 19:39:22 GMT 2004


Moin,

while I was hunting a different bug, I stumbled upon some weird stuff in the 
file mcop/md5auth.cc.  The first thing I noticed was line 125:
 // this is some seed from a file which is updated sometimes with a
 // new "arts_md5_auth_mkcookie()" after initialization
 strncmp(r.seed,md5_seed,MD5_COOKIE_LEN);

I don't know if this exploits some voodoo hidden in the depths of strncmp(), 
but to me a comparison which doesn't check the return value looks plain 
wrong.  I guess it was supposed to be a strncpy().

To understand that file better, I went on to replace all explicit buffer 
sizes with constants.  I put MD5_BINARY_LEN into md5.h as that belongs to 
the algorithm itself, and moved MD5_COOKIE_LEN out of mf5auth.h into the .c 
file -- no reason to make that constant publically available and it's used 
nowhere else.  MD5_MANGLE_LEN is just sugar instead of MD5_COOKIE_LEN*2.

While I did so, I noticed that in md5_to_ascii_overwrite() the outascii 
string wasn't null-terminated.

That the buffer out in arts_md5_auth_mangle() was actually too big:  out 
always takes a binary md5sum, not a stringified form -- which wouldn't have 
worked anyway as then the buffer was missing the byte for the terminating 
null.

Ok, attached is the patch.  Most of the changes are just the introduction of 
the constants, the actual changes are the following lines in the patch:
 line 36: missing null termination
 line 52/54: buffer too big
 line 95/96: s/strncmp/strncpy/

If you think that patch looks good, please commit.

Cheers,
Malte

P.S.: I don't know where that authentication is actually used in real life 
so I can't test it, but my own built-in debugger tells me that those lines 
are wrong.

P.P.S.: I guess kde-multimedia would have been the more correct list to post 
this to, but I don't want to subscribe to Yet Another List.

-- 
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
      <http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
      <http://www.catb.org/~esr/faqs/smart-questions.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: md5auth.patch
Type: text/x-diff
Size: 4525 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20041120/8d856089/attachment.patch>


More information about the kde-core-devel mailing list