From dcf55d409934d19e29532609e9647f0a3cd5bb23 Mon Sep 17 00:00:00 2001 From: Markus Makela Date: Thu, 29 Sep 2016 14:57:44 +0300 Subject: [PATCH] Fix possible out of bounds read in CDCPlainAuth When the authentication string was decoded from hexadecimal to binary, it was possible that an out of bounds read was done if the length of the data was not an even number. --- server/modules/authenticator/cdc_plain_auth.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/server/modules/authenticator/cdc_plain_auth.c b/server/modules/authenticator/cdc_plain_auth.c index 0c605f675..e50dcb482 100644 --- a/server/modules/authenticator/cdc_plain_auth.c +++ b/server/modules/authenticator/cdc_plain_auth.c @@ -285,6 +285,12 @@ cdc_auth_set_client_data(CDC_session *client_data, uint8_t *client_auth_packet, int client_auth_packet_size) { + if (client_auth_packet_size % 2 != 0) + { + /** gw_hex2bin expects an even number of bytes */ + client_auth_packet_size--; + } + int rval = CDC_STATE_AUTH_ERR; int decoded_size = client_auth_packet_size / 2; char decoded_buffer[decoded_size + 1]; // Extra for terminating null