[PATCH] arts/mcop auth cookie generation broken
Malte S. Stretz
msquadrat.nospamplease-hi6Y0CQ0nG0 at public.gmane.org
Sat Nov 20 19:39:22 GMT 2004
Moin,
while I was hunting a different bug, I stumbled upon some weird stuff in the
file mcop/md5auth.cc. The first thing I noticed was line 125:
// this is some seed from a file which is updated sometimes with a
// new "arts_md5_auth_mkcookie()" after initialization
strncmp(r.seed,md5_seed,MD5_COOKIE_LEN);
I don't know if this exploits some voodoo hidden in the depths of strncmp(),
but to me a comparison which doesn't check the return value looks plain
wrong. I guess it was supposed to be a strncpy().
To understand that file better, I went on to replace all explicit buffer
sizes with constants. I put MD5_BINARY_LEN into md5.h as that belongs to
the algorithm itself, and moved MD5_COOKIE_LEN out of mf5auth.h into the .c
file -- no reason to make that constant publically available and it's used
nowhere else. MD5_MANGLE_LEN is just sugar instead of MD5_COOKIE_LEN*2.
While I did so, I noticed that in md5_to_ascii_overwrite() the outascii
string wasn't null-terminated.
That the buffer out in arts_md5_auth_mangle() was actually too big: out
always takes a binary md5sum, not a stringified form -- which wouldn't have
worked anyway as then the buffer was missing the byte for the terminating
null.
Ok, attached is the patch. Most of the changes are just the introduction of
the constants, the actual changes are the following lines in the patch:
line 36: missing null termination
line 52/54: buffer too big
line 95/96: s/strncmp/strncpy/
If you think that patch looks good, please commit.
Cheers,
Malte
P.S.: I don't know where that authentication is actually used in real life
so I can't test it, but my own built-in debugger tells me that those lines
are wrong.
P.P.S.: I guess kde-multimedia would have been the more correct list to post
this to, but I don't want to subscribe to Yet Another List.
--
[SGT] Simon G. Tatham: "How to Report Bugs Effectively"
<http://www.chiark.greenend.org.uk/~sgtatham/bugs.html>
[ESR] Eric S. Raymond: "How To Ask Questions The Smart Way"
<http://www.catb.org/~esr/faqs/smart-questions.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: md5auth.patch
Type: text/x-diff
Size: 4525 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20041120/8d856089/attachment.patch>
More information about the kde-core-devel
mailing list