Several foolish bugs caught by Eric Grosse

-Steve

Reference: /n/sources/patch/applied/factotum-chap-ehg
Date: Mon Dec  6 16:31:04 CET 2004

--- /sys/src/cmd/auth/factotum/chap.c	Mon Dec  6 16:31:04 2004
+++ /sys/src/cmd/auth/factotum/chap.c	Mon Dec  6 16:31:04 2004
@@ -124,18 +124,6 @@
 	free(s);
 }
 
-void
-dmpkey(char *s, void *v, int n)
-{
-	int i;
-	char *p = v;
-
-	print("%s", s);
-	for (i = 0; i < n; i++)
-		print("%02x ", *p++);
-	print("\n");
-}
-
 
 static int
 chapwrite(Fsstate *fss, void *va, uint n)
@@ -197,6 +185,7 @@
 			memmove(&cr, va, sizeof cr);
 			ocr.id = cr.id;
 			memmove(ocr.resp, cr.resp, sizeof ocr.resp);
+			memset(omcr.uid, 0, sizeof(omcr.uid));
 			strecpy(ocr.uid, ocr.uid+sizeof ocr.uid, s->user);
 			reply = &ocr;
 			nreply = sizeof ocr;
@@ -207,12 +196,10 @@
 			memmove(&mcr, va, sizeof mcr);
 			memmove(omcr.LMresp, mcr.LMresp, sizeof omcr.LMresp);
 			memmove(omcr.NTresp, mcr.NTresp, sizeof omcr.NTresp);
+			memset(omcr.uid, 0, sizeof(omcr.uid));
 			strecpy(omcr.uid, omcr.uid+sizeof omcr.uid, s->user);
 			reply = &omcr;
 			nreply = sizeof omcr;
-print("%s\n", omcr.uid);
-dmpkey("LM ", omcr.LMresp, 24);
-dmpkey("NT ", omcr.NTresp, 24);
 			break;
 		}
 		if(doreply(s, reply, nreply) < 0)
@@ -240,7 +227,8 @@
 	case CHaveResp:
 		switch(s->astype){
 		default:
-			abort();
+			phaseerror(fss, "write");
+			break;
 		case AuthMSchap:
 			if(*n > sizeof(MSchapreply))
 				*n = sizeof(MSchapreply);
@@ -388,17 +376,15 @@
 static void
 doNTchap(char *pass, uchar chal[ChapChallen], uchar reply[MSchapResplen])
 {
+	Rune r;
 	int i, n;
-	uchar *w, unipass[256];
 	uchar digest[MD4dlen];
-
-	Rune r;
+	uchar *w, unipass[256];
 
 	// Standard says unlimited length, experience says 128 max
 	if ((n = strlen(pass)) > 128)
 		n = 128;
 
-	memset(unipass, 0, sizeof unipass);
 	for(i=0, w=unipass; i < n; i++) {
 		pass += chartorune(&r, pass);
 		*w++ = r & 0xff;
@@ -406,7 +392,8 @@
 	}
 
 	memset(digest, 0, sizeof digest);
-	md4(unipass, w - unipass, digest, nil);
+	md4(unipass, w-unipass, digest, nil);
+	memset(unipass, 0, sizeof unipass);
 	hash(digest, chal, reply);
 }
 
@@ -432,6 +419,7 @@
 		block_cipher(schedule, p16+i*8, 0);
 	}
 
+	memset(p14, 0, sizeof p14);
 	hash(p16, chal, reply);
 }
 
@@ -442,7 +430,10 @@
 	int n = strlen(pass);
 
 	*buf = id;
-	strcpy(buf+1, pass);
+	if (n > MAXNAMELEN)
+		n = MAXNAMELEN-1;
+	memset(buf, 0, sizeof buf);
+	strncpy(buf+1, pass, n);
 	memmove(buf+1+n, chal, ChapChallen);
 	md5((uchar*)buf, 1+n+ChapChallen, resp, nil);
 }