diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-04-27 21:20:29 +0200 |
---|---|---|
committer | Sébastien Helleu <flashcode@flashtux.org> | 2017-04-27 21:20:29 +0200 |
commit | b297c2d56eca4b736bbc425bf35df2f9f3c34480 (patch) | |
tree | d6cf012c1cd56c1df27fef1d437e12d4d0ea9ef0 /src | |
parent | 9ccb798bcd2dcd0cb4a03de15e0d9427bf6e06d2 (diff) | |
download | weechat-b297c2d56eca4b736bbc425bf35df2f9f3c34480.zip |
irc: fix crash in case of invalid server reply during SASL authentication with dh-blowfish or dh-aes mechanism
These mechanisms are not recommended anyway because they are considered as
insecure.
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/irc/irc-sasl.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/plugins/irc/irc-sasl.c b/src/plugins/irc/irc-sasl.c index 31b527d1f..c4b3c3f45 100644 --- a/src/plugins/irc/irc-sasl.c +++ b/src/plugins/irc/irc-sasl.c @@ -19,6 +19,7 @@ * along with WeeChat. If not, see <http://www.gnu.org/licenses/>. */ +#include <limits.h> #include <stdlib.h> #include <stdio.h> #include <string.h> @@ -357,6 +358,8 @@ irc_sasl_dh (const char *data_base64, data_prime_number = gcry_mpi_new (size * 8); gcry_mpi_scan (&data_prime_number, GCRYMPI_FMT_USG, ptr_data, size, NULL); num_bits_prime_number = gcry_mpi_get_nbits (data_prime_number); + if (num_bits_prime_number == 0 || INT_MAX - 7 < num_bits_prime_number) + goto dhend; ptr_data += size; length_data -= size; @@ -388,7 +391,7 @@ irc_sasl_dh (const char *data_base64, gcry_mpi_powm (pub_key, data_generator_number, priv_key, data_prime_number); /* compute secret_bin */ - *length_key = num_bits_prime_number / 8; + *length_key = (num_bits_prime_number + 7) / 8; *secret_bin = malloc (*length_key); secret_mpi = gcry_mpi_new (num_bits_prime_number); /* secret_mpi = (y ^ priv_key) % p */ |