From: Eivind Næss <eivnaes@yahoo.com>
Date: Mon, 6 Mar 2023 07:03:13 +0000 (-0800)
Subject: Fix out-of-bounds accesses to ZPasswordHash arrays (#395)
X-Git-Tag: ppp-2.5.0~16
X-Git-Url: http://git.ozlabs.org/?a=commitdiff_plain;ds=sidebyside;h=3de4392234241ae91300854264864da213a49b10;p=ppp.git

Fix out-of-bounds accesses to ZPasswordHash arrays (#395)

* Add 'const' parameter to input arguments in crypto_ms.*

* Round ZPasswordHash buffers up to 24 bytes, as the DES MakeKey() function
  accesses ZPasswordHash[21]

Closes github issue #392

[paulus@ozlabs.org - tidied up headline and commit message]

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
---

diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
index c34b6aa..d1e0cf8 100644
--- a/pppd/chap_ms.c
+++ b/pppd/chap_ms.c
@@ -509,7 +509,7 @@ ChallengeResponse(u_char *challenge,
 		  u_char *PasswordHash,
 		  u_char *response)
 {
-    u_char ZPasswordHash[21];
+    u_char ZPasswordHash[24];
     PPP_CIPHER_CTX *ctx;
 
     BZERO(ZPasswordHash, sizeof(ZPasswordHash));
diff --git a/pppd/crypto_ms.c b/pppd/crypto_ms.c
index 81f3a76..a9ddd5f 100644
--- a/pppd/crypto_ms.c
+++ b/pppd/crypto_ms.c
@@ -125,7 +125,7 @@ MakeKey(const unsigned char *key, unsigned char *des_key)
 #include <openssl/evp.h>
 
 int
-DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher)
+DesEncrypt(const unsigned char *clear, const unsigned char *key, unsigned char *cipher)
 {
     int retval = 0;
     unsigned int clen = 0;
@@ -154,7 +154,7 @@ DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher)
 }
 
 int
-DesDecrypt(unsigned char *cipher, unsigned char *key, unsigned char *clear)
+DesDecrypt(const unsigned char *cipher, const unsigned char *key, unsigned char *clear)
 {
     int retval = 0;
     unsigned int clen = 0;
@@ -196,10 +196,10 @@ int test_encrypt()
         0xD0, 0x2E, 0x43, 0x86, 0xBC, 0xE9, 0x12, 0x26
     };  
 
-    unsigned char ZPasswordHash[21] = { 
+    unsigned char ZPasswordHash[24] = {
         0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
         0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
-    };  
+    };
 
     unsigned char expected[24] = { 
         0x82, 0x30, 0x9E, 0xCD, 0x8D, 0x70, 0x8B, 0x5E, 
@@ -222,7 +222,7 @@ int test_decrypt()
         0xD0, 0x2E, 0x43, 0x86, 0xBC, 0xE9, 0x12, 0x26
     };
 
-    unsigned char ZPasswordHash[21] = {
+    unsigned char ZPasswordHash[24] = {
         0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
         0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
     };
diff --git a/pppd/crypto_ms.h b/pppd/crypto_ms.h
index 9083594..e9a039c 100644
--- a/pppd/crypto_ms.h
+++ b/pppd/crypto_ms.h
@@ -40,10 +40,10 @@
  * This is the DES encrypt functions as described by RFC2759.
  * 
  * Parameters:
- * unsigned char *clear:
+ * const unsigned char *clear:
  *      A 8 byte input array to be encrypted
  * 
- * unsigned char *key: 
+ * const unsigned char *key:
  *      A raw 7-byte array to be expanded to 8 with odd-parity
  *
  * unsigned char *cipher:
@@ -51,17 +51,17 @@
  *
  * DesEncrypt returns 1 on success
  */
-int DesEncrypt(unsigned char *clear, unsigned char *key, 
+int DesEncrypt(const unsigned char *clear, const unsigned char *key,
         unsigned char *cipher);
 
 /**
  * This is the DES decrypt functions as described by RFC2759.
  * 
  * Parameters:
- * unsigned char *cipher:
+ * const unsigned char *cipher:
  *      A 8 byte input array to be decrypted
  *
- * unsigned char *key: 
+ * const unsigned char *key:
  *      A raw 7-byte array to be expanded to a 8-byte key with odd-parity
  *
  * unsigned char *clear:
@@ -69,7 +69,7 @@ int DesEncrypt(unsigned char *clear, unsigned char *key,
  *
  * DesDecrypt returns 1 on success
  */
-int DesDecrypt(unsigned char *cipher, unsigned char *key, 
+int DesDecrypt(const unsigned char *cipher, const unsigned char *key,
         unsigned char *clear);
 
 #endif /* PPP_PPPCRYPT_H */