From b297c2d56eca4b736bbc425bf35df2f9f3c34480 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Thu, 27 Apr 2017 21:20:29 +0200 Subject: irc: fix crash in case of invalid server reply during SASL authentication with dh-blowfish or dh-aes mechanism These mechanisms are not recommended anyway because they are considered as insecure. --- ChangeLog.adoc | 1 + src/plugins/irc/irc-sasl.c | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog.adoc b/ChangeLog.adoc index 87dc638f6..ec891c225 100644 --- a/ChangeLog.adoc +++ b/ChangeLog.adoc @@ -44,6 +44,7 @@ Bug fixes:: * core: fix command /cursor stop (do not toggle cursor mode) (issue #964) * core: fix delayed refresh when the signal SIGWINCH is received (terminal resized), send signal "signal_sigwinch" after refreshes (issue #902) + * irc: fix crash in case of invalid server reply during SASL authentication with dh-blowfish or dh-aes mechanism * irc: fix double decoding of IRC colors in messages sent/displayed by commands /msg and /query (issue #943) * irc: fix parsing of message 324 (modes) when there is a colon before the modes (issue #913) * relay: check buffer pointer received in "sync" and "desync" commands (weechat protocol) (issue #936) diff --git a/src/plugins/irc/irc-sasl.c b/src/plugins/irc/irc-sasl.c index 31b527d1f..c4b3c3f45 100644 --- a/src/plugins/irc/irc-sasl.c +++ b/src/plugins/irc/irc-sasl.c @@ -19,6 +19,7 @@ * along with WeeChat. If not, see . */ +#include #include #include #include @@ -357,6 +358,8 @@ irc_sasl_dh (const char *data_base64, data_prime_number = gcry_mpi_new (size * 8); gcry_mpi_scan (&data_prime_number, GCRYMPI_FMT_USG, ptr_data, size, NULL); num_bits_prime_number = gcry_mpi_get_nbits (data_prime_number); + if (num_bits_prime_number == 0 || INT_MAX - 7 < num_bits_prime_number) + goto dhend; ptr_data += size; length_data -= size; @@ -388,7 +391,7 @@ irc_sasl_dh (const char *data_base64, gcry_mpi_powm (pub_key, data_generator_number, priv_key, data_prime_number); /* compute secret_bin */ - *length_key = num_bits_prime_number / 8; + *length_key = (num_bits_prime_number + 7) / 8; *secret_bin = malloc (*length_key); secret_mpi = gcry_mpi_new (num_bits_prime_number); /* secret_mpi = (y ^ priv_key) % p */ -- cgit v1.2.3