From 052cf082b0faaef4eaaa4e94119d7a1437aac4a3 Mon Sep 17 00:00:00 2001 From: squidadm Date: Wed, 18 Oct 2023 04:50:56 +1300 Subject: [PATCH] Fix stack buffer overflow when parsing Digest Authorization (#1517) The bug was discovered and detailed by Joshua Rogers at https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html where it was filed as "Stack Buffer Overflow in Digest Authentication". --------- Co-authored-by: Alex Bason Co-authored-by: Amos Jeffries --- src/auth/digest/Config.cc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/auth/digest/Config.cc b/src/auth/digest/Config.cc index d42831a55..be9f3c433 100644 --- a/src/auth/digest/Config.cc +++ b/src/auth/digest/Config.cc @@ -844,11 +844,15 @@ Auth::Digest::Config::decode(char const *proxy_auth, const HttpRequest *request, break; case DIGEST_NC: - if (value.size() != 8) { + if (value.size() == 8) { + // for historical reasons, the nc value MUST be exactly 8 bytes + static_assert(sizeof(digest_request->nc) == 8 + 1, "bad nc buffer size"); + xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); + debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); + } else { debugs(29, 9, "Invalid nc '" << value << "' in '" << temp << "'"); + digest_request->nc[0] = 0; } - xstrncpy(digest_request->nc, value.rawBuf(), value.size() + 1); - debugs(29, 9, "Found noncecount '" << digest_request->nc << "'"); break; case DIGEST_CNONCE: -- 2.25.1