Several foolish bugs caught by Eric Grosse -Steve Reference: /n/sources/patch/applied/factotum-chap-ehg Date: Mon Dec 6 16:31:04 CET 2004 --- /sys/src/cmd/auth/factotum/chap.c Mon Dec 6 16:31:04 2004 +++ /sys/src/cmd/auth/factotum/chap.c Mon Dec 6 16:31:04 2004 @@ -124,18 +124,6 @@ free(s); } -void -dmpkey(char *s, void *v, int n) -{ - int i; - char *p = v; - - print("%s", s); - for (i = 0; i < n; i++) - print("%02x ", *p++); - print("\n"); -} - static int chapwrite(Fsstate *fss, void *va, uint n) @@ -197,6 +185,7 @@ memmove(&cr, va, sizeof cr); ocr.id = cr.id; memmove(ocr.resp, cr.resp, sizeof ocr.resp); + memset(omcr.uid, 0, sizeof(omcr.uid)); strecpy(ocr.uid, ocr.uid+sizeof ocr.uid, s->user); reply = &ocr; nreply = sizeof ocr; @@ -207,12 +196,10 @@ memmove(&mcr, va, sizeof mcr); memmove(omcr.LMresp, mcr.LMresp, sizeof omcr.LMresp); memmove(omcr.NTresp, mcr.NTresp, sizeof omcr.NTresp); + memset(omcr.uid, 0, sizeof(omcr.uid)); strecpy(omcr.uid, omcr.uid+sizeof omcr.uid, s->user); reply = &omcr; nreply = sizeof omcr; -print("%s\n", omcr.uid); -dmpkey("LM ", omcr.LMresp, 24); -dmpkey("NT ", omcr.NTresp, 24); break; } if(doreply(s, reply, nreply) < 0) @@ -240,7 +227,8 @@ case CHaveResp: switch(s->astype){ default: - abort(); + phaseerror(fss, "write"); + break; case AuthMSchap: if(*n > sizeof(MSchapreply)) *n = sizeof(MSchapreply); @@ -388,17 +376,15 @@ static void doNTchap(char *pass, uchar chal[ChapChallen], uchar reply[MSchapResplen]) { + Rune r; int i, n; - uchar *w, unipass[256]; uchar digest[MD4dlen]; - - Rune r; + uchar *w, unipass[256]; // Standard says unlimited length, experience says 128 max if ((n = strlen(pass)) > 128) n = 128; - memset(unipass, 0, sizeof unipass); for(i=0, w=unipass; i < n; i++) { pass += chartorune(&r, pass); *w++ = r & 0xff; @@ -406,7 +392,8 @@ } memset(digest, 0, sizeof digest); - md4(unipass, w - unipass, digest, nil); + md4(unipass, w-unipass, digest, nil); + memset(unipass, 0, sizeof unipass); hash(digest, chal, reply); } @@ -432,6 +419,7 @@ block_cipher(schedule, p16+i*8, 0); } + memset(p14, 0, sizeof p14); hash(p16, chal, reply); } @@ -442,7 +430,10 @@ int n = strlen(pass); *buf = id; - strcpy(buf+1, pass); + if (n > MAXNAMELEN) + n = MAXNAMELEN-1; + memset(buf, 0, sizeof buf); + strncpy(buf+1, pass, n); memmove(buf+1+n, chal, ChapChallen); md5((uchar*)buf, 1+n+ChapChallen, resp, nil); }