Bug #2478

invalid memory read in qop=auth-int "handling"

Added by oinkaroonie over 1 year ago. Updated about 1 year ago.

Status:FixedStart date:2013-02-21
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:1.4.33
Missing in 1.5.x:No

Description

When qop == "auth-int" in an HTTP Digest authorization request, A2 is supposed to include an MD5sum of the message body. Currently, lighttpd computes the MD5 of random memory:

li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);

This proposed patch correctly computes A2 when qop is "auth-int".

diffs - proposed patch (3.96 KB) oinkaroonie, 2013-02-21 00:53

Associated revisions

Revision 2877
Added by stbuehler about 1 year ago

[mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)

History

#1 Updated by darix over 1 year ago

  • Status changed from New to Need Feedback
  • with how big of bodies did you test that?
  • did you test it with fastcgi?

#2 Updated by stbuehler about 1 year ago

  • Target version set to 1.4.33

The invalid read should be fixed ofc, but parsing the request body is not gonna happen. (async, ...)

Just use https if you want to protect the connection; qop=auth-int won't be supported.

#3 Updated by stbuehler about 1 year ago

  • Subject changed from qop == "auth-int" doesn't compute A2 correctly to invalid memory read in qop=auth-int "handling"

#4 Updated by stbuehler about 1 year ago

  • Status changed from Need Feedback to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2877.

Also available in: Atom