Bug #2478

invalid memory read in qop=auth-int "handling"

Added by oinkaroonie about 1 year ago. Updated 10 months ago.

Status:FixedStart date:2013-02-21
Priority:NormalDue date:
Assignee:-% Done:


Target version:1.4.33
Missing in 1.5.x:No


When qop == "auth-int" in an HTTP Digest authorization request, A2 is supposed to include an MD5sum of the message body. Currently, lighttpd computes the MD5 of random memory:

li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);

This proposed patch correctly computes A2 when qop is "auth-int".

diffs - proposed patch (3.96 KB) oinkaroonie, 2013-02-21 00:53

Associated revisions

Revision 2877
Added by stbuehler 10 months ago

[mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)


#1 Updated by darix about 1 year ago

  • Status changed from New to Need Feedback
  • with how big of bodies did you test that?
  • did you test it with fastcgi?

#2 Updated by stbuehler 10 months ago

  • Target version set to 1.4.33

The invalid read should be fixed ofc, but parsing the request body is not gonna happen. (async, ...)

Just use https if you want to protect the connection; qop=auth-int won't be supported.

#3 Updated by stbuehler 10 months ago

  • Subject changed from qop == "auth-int" doesn't compute A2 correctly to invalid memory read in qop=auth-int "handling"

#4 Updated by stbuehler 10 months ago

  • Status changed from Need Feedback to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2877.

Also available in: Atom