Browse code
Fix a null-pointer dereference in establish_http_proxy_passthru()
Prevents that the client crashes if the peer does not specify
the 'realm' and/or 'nonce' values. These pointers are
dereferenced in DigestCalcHA1() and DigestCalcResponse();
hence, if not set, a null-pointer dereference would occur.
Signed-off-by: Guido Vranken <guidovranken@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1497574736-2092-1-git-send-email-gv@guidovranken.nl>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14844.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Guido Vranken authored on 2017/06/16 09:58:56Showing 1 changed files
| ... | ... |
@@ -875,6 +875,13 @@ establish_http_proxy_passthru(struct http_proxy_info *p, |
| 875 | 875 |
const char *algor = get_pa_var("algorithm", pa, &gc);
|
| 876 | 876 |
const char *opaque = get_pa_var("opaque", pa, &gc);
|
| 877 | 877 |
|
| 878 |
+ if ( !realm || !nonce ) |
|
| 879 |
+ {
|
|
| 880 |
+ msg(D_LINK_ERRORS, "HTTP proxy: digest auth failed, malformed response " |
|
| 881 |
+ "from server: realm= or nonce= missing" ); |
|
| 882 |
+ goto error; |
|
| 883 |
+ } |
|
| 884 |
+ |
|
| 878 | 885 |
/* generate a client nonce */ |
| 879 | 886 |
ASSERT(rand_bytes(cnonce_raw, sizeof(cnonce_raw))); |
| 880 | 887 |
cnonce = make_base64_string2(cnonce_raw, sizeof(cnonce_raw), &gc); |