File mosquitto-1.4.x-cve-2018-12551.patch of Package mosquitto.9664
From: "Roger A. Light" <roger@atchoo.org>
Date: Wed, 30 Jan 2019 15:01:34 +0000
Subject: [PATCH 01/10] Fix and tests for security bug #543401.
diff --git a/src/security_default.c b/src/security_default.c
index 26d8b59..743020c 100644
--- a/src/security_default.c
+++ b/src/security_default.c
@@ -499,6 +499,9 @@ static int pwfile__parse(const char *file, struct mosquitto__unpwd **root)
while(!feof(pwfile)){
if(fgets(buf, 256, pwfile)){
+ if(buf[0] == '#') continue;
+ if(!strchr(buf, ':')) continue;
+
username = strtok_r(buf, ":", &saveptr);
if(username){
unpwd = _mosquitto_calloc(1, sizeof(struct _mosquitto_unpwd));
@@ -517,8 +517,13 @@ static int pwfile__parse(const char *file, struct mosquitto__unpwd **root)
unpwd->password[len-1] = '\0';
len = strlen(unpwd->password);
}
+
+ HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
+ }else{
+ _mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "Warning: Invalid line in password file '%s': %s", file, buf);
+ _mosquitto_free(unpwd->username);
+ _mosquitto_free(unpwd);
}
- HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
}
}
}
@@ -693,34 +701,39 @@ static int unpwd__file_parse(struct mosquitto__unpwd **unpwd, const char *passwo
token = strtok(NULL, "$");
if(token){
rc = _base64_decode(token, &salt, &salt_len);
- if(rc){
- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s.", u->username);
- return MOSQ_ERR_INVAL;
- }
- u->salt = salt;
- u->salt_len = salt_len;
- token = strtok(NULL, "$");
- if(token){
- rc = _base64_decode(token, &password, &password_len);
- if(rc){
- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s.", u->username);
- return MOSQ_ERR_INVAL;
+ if(rc == MOSQ_ERR_SUCCESS && salt_len == 12){
+ u->salt = salt;
+ u->salt_len = salt_len;
+ token = strtok(NULL, "$");
+ if(token){
+ rc = _base64_decode(token, &password, &password_len);
+ if(rc == MOSQ_ERR_SUCCESS && password_len == 64){
+ _mosquitto_free(u->password);
+ u->password = (char *)password;
+ u->password_len = password_len;
+ }else{
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s, removing entry.", u->username);
+ HASH_DEL(db->unpwd, u);
+ }
+ }else{
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
+ HASH_DEL(db->unpwd, u);
}
- _mosquitto_free(u->password);
- u->password = (char *)password;
- u->password_len = password_len;
}else{
- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
- return MOSQ_ERR_INVAL;
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s, removing entry.", u->username);
+ HASH_DEL(db->unpwd, u);
}
}else{
- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
- return MOSQ_ERR_INVAL;
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
+ HASH_DEL(db->unpwd, u);
}
}else{
- _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
- return MOSQ_ERR_INVAL;
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
+ HASH_DEL(db->unpwd, u);
}
+ }else{
+ _mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Missing password hash for user %s, removing entry.", u->username);
+ HASH_DEL(db->unpwd, u);
}
}
#endif
--
2.19.1
