hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initialize memory in password hashing

Browse Source 
The authentication code did not initialize one of the buffers used to
calculate the password hashes. This resulted in the use of uninitialized
memory when the user provided no password.
This commit is contained in:
Markus Mäkelä
2018-11-28 00:15:57 +02:00
parent 631711f2bf
commit 24d1876ed4
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/modules/authenticator/MySQLAuth/dbusers.c
View File

@ -220,7 +220,7 @@ static bool check_password(const char *output, uint8_t *token, size_t token_len,
/** Next, extract the SHA1 of the real password by XOR'ing it with /** Next, extract the SHA1 of the real password by XOR'ing it with
* the output of the previous calculation */ * the output of the previous calculation */
uint8_t step2[SHA_DIGEST_LENGTH]; uint8_t step2[SHA_DIGEST_LENGTH] = {};
gw_str_xor(step2, token, step1, token_len); gw_str_xor(step2, token, step1, token_len);
/** The phase 2 scramble needs to be copied to the shared data structure as it /** The phase 2 scramble needs to be copied to the shared data structure as it