<p>Jaco Kroon has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.asterisk.org/8938">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">manager: fix digest auth for ami/http mechanism.<br><br>Given that the a2 buffer ends up containing the user-supplied uri value<br>a static buffer can be trivially overflowed. The potential DOS (memory<br>exhaustion) should be handled already in the http module by way of max<br>request size (specifically the MAX_HTTP_LINE_LENGTH).<br><br>ASTERISK-27841<br><br>Change-Id: I660609db13b8f9e5f9567f339dd804f4985d41b3<br>---<br>M main/manager.c<br>1 file changed, 14 insertions(+), 10 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/38/8938/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">diff --git a/main/manager.c b/main/manager.c<br>index 577c7f9..23e52b2 100644<br>--- a/main/manager.c<br>+++ b/main/manager.c<br>@@ -8006,22 +8006,26 @@<br> <br> /* compute the expected response to compare with what we received */<br> {<br>- char a2[256];<br>+ char *a2;<br> char a2_hash[256];<br> char resp[256];<br> <br> /* XXX Now request method are hardcoded in A2 */<br>- snprintf(a2, sizeof(a2), "%s:%s", ast_get_http_method(method), d.uri);<br>- ast_md5_hash(a2_hash, a2);<br>+ a2 = ast_asprintf("%s:%s", ast_get_http_method(method), d.uri);<br>+ if (a2) {<br>+ ast_md5_hash(a2_hash, a2);<br> <br>- if (d.qop) {<br>- /* RFC 2617 */<br>- snprintf(resp, sizeof(resp), "%s:%08lx:%s:%s:auth:%s", user->a1_hash, nonce, d.nc, d.cnonce, a2_hash);<br>- } else {<br>- /* RFC 2069 */<br>- snprintf(resp, sizeof(resp), "%s:%08lx:%s", user->a1_hash, nonce, a2_hash);<br>+ if (d.qop) {<br>+ /* RFC 2617 */<br>+ snprintf(resp, sizeof(resp), "%s:%08lx:%s:%s:auth:%s", user->a1_hash, nonce, d.nc, d.cnonce, a2_hash);<br>+ } else {<br>+ /* RFC 2069 */<br>+ snprintf(resp, sizeof(resp), "%s:%08lx:%s", user->a1_hash, nonce, a2_hash);<br>+ }<br>+ ast_md5_hash(resp_hash, resp);<br>+<br>+ ast_free(a2);<br> }<br>- ast_md5_hash(resp_hash, resp);<br> }<br> <br> if (strncasecmp(d.response, resp_hash, strlen(resp_hash))) {<br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/8938">change 8938</a>. To unsubscribe, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/8938"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>
<div style="display:none"> Gerrit-Change-Id: I660609db13b8f9e5f9567f339dd804f4985d41b3 </div>
<div style="display:none"> Gerrit-Change-Number: 8938 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: Jaco Kroon <jaco@uls.co.za> </div>