Fix out-of-bounds accesses to ZPasswordHash arrays (#395)

* Add 'const' parameter to input arguments in crypto_ms.*

* Round ZPasswordHash buffers up to 24 bytes, as the DES MakeKey() function
  accesses ZPasswordHash[21]

Closes github issue #392

[paulus@ozlabs.org - tidied up headline and commit message]

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>

diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
index c34b6aa5c7199bab245b0009e5148ea9770c8393..d1e0cf80212c265cdfeae2c4c6659d15c8422108 100644 (file)
--- a/pppd/chap_ms.c
+++ b/pppd/chap_ms.c
@@ -509,7 +509,7 @@ ChallengeResponse(u_char *challenge,
                  u_char *PasswordHash,
                  u_char *response)
 {
-    u_char ZPasswordHash[21];
+    u_char ZPasswordHash[24];
     PPP_CIPHER_CTX *ctx;
 
     BZERO(ZPasswordHash, sizeof(ZPasswordHash));

diff --git a/pppd/crypto_ms.c b/pppd/crypto_ms.c
index 81f3a76eff08b0b623d66ad071bf5ce56dfa3a0b..a9ddd5fda9465eb3a2fc18f96ae3993b1e09e979 100644 (file)
--- a/pppd/crypto_ms.c
+++ b/pppd/crypto_ms.c
@@ -125,7 +125,7 @@ MakeKey(const unsigned char *key, unsigned char *des_key)
 #include <openssl/evp.h>
 
 int
-DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher)
+DesEncrypt(const unsigned char *clear, const unsigned char *key, unsigned char *cipher)
 {
     int retval = 0;
     unsigned int clen = 0;
@@ -154,7 +154,7 @@ DesEncrypt(unsigned char *clear, unsigned char *key, unsigned char *cipher)
 }
 
 int
-DesDecrypt(unsigned char *cipher, unsigned char *key, unsigned char *clear)
+DesDecrypt(const unsigned char *cipher, const unsigned char *key, unsigned char *clear)
 {
     int retval = 0;
     unsigned int clen = 0;
@@ -196,10 +196,10 @@ int test_encrypt()
         0xD0, 0x2E, 0x43, 0x86, 0xBC, 0xE9, 0x12, 0x26
     };  
 
-    unsigned char ZPasswordHash[21] = { 
+    unsigned char ZPasswordHash[24] = {
         0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
         0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
-    };  
+    };
 
     unsigned char expected[24] = { 
         0x82, 0x30, 0x9E, 0xCD, 0x8D, 0x70, 0x8B, 0x5E, 
@@ -222,7 +222,7 @@ int test_decrypt()
         0xD0, 0x2E, 0x43, 0x86, 0xBC, 0xE9, 0x12, 0x26
     };
 
-    unsigned char ZPasswordHash[21] = {
+    unsigned char ZPasswordHash[24] = {
         0x44, 0xEB, 0xBA, 0x8D, 0x53, 0x12, 0xB8, 0xD6,
         0x11, 0x47, 0x44, 0x11, 0xF5, 0x69, 0x89, 0xAE
     };

diff --git a/pppd/crypto_ms.h b/pppd/crypto_ms.h
index 90835940e0589e9a79b2add18d10e05bf2408855..e9a039cbf055e9e87131847bf13a4e1a0f757ec7 100644 (file)
--- a/pppd/crypto_ms.h
+++ b/pppd/crypto_ms.h
@@ -40,10 +40,10 @@
  * This is the DES encrypt functions as described by RFC2759.
  * 
  * Parameters:
- * unsigned char *clear:
+ * const unsigned char *clear:
  *      A 8 byte input array to be encrypted
  * 
- * unsigned char *key: 
+ * const unsigned char *key:
  *      A raw 7-byte array to be expanded to 8 with odd-parity
  *
  * unsigned char *cipher:
@@ -51,17 +51,17 @@
  *
  * DesEncrypt returns 1 on success
  */
-int DesEncrypt(unsigned char *clear, unsigned char *key, 
+int DesEncrypt(const unsigned char *clear, const unsigned char *key,
         unsigned char *cipher);
 
 /**
  * This is the DES decrypt functions as described by RFC2759.
  * 
  * Parameters:
- * unsigned char *cipher:
+ * const unsigned char *cipher:
  *      A 8 byte input array to be decrypted
  *
- * unsigned char *key: 
+ * const unsigned char *key:
  *      A raw 7-byte array to be expanded to a 8-byte key with odd-parity
  *
  * unsigned char *clear:
@@ -69,7 +69,7 @@ int DesEncrypt(unsigned char *clear, unsigned char *key,
  *
  * DesDecrypt returns 1 on success
  */
-int DesDecrypt(unsigned char *cipher, unsigned char *key, 
+int DesDecrypt(const unsigned char *cipher, const unsigned char *key,
         unsigned char *clear);
 
 #endif /* PPP_PPPCRYPT_H */