mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 06:41:32 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: base64: check output boundaries within base64{dec,urldec}

Browse Source 
Ensure that no more than olen bytes is written to the output buffer,
otherwise we might experience an unexpected behavior.

While the original code used to validate that the output size was
always large enough before starting to write, this validation was
later broken by the commit below, allowing to 3-byte blocks to
areas whose size is not multiple of 3:

  commit ed697e4856e5ac0b9931fd50fd8ff1b7739e5d88
  Author: Emeric Brun <ebrun@haproxy.com>
  Date:   Mon Jan 14 14:38:39 2019 +0100

    BUG/MINOR: base64: dec func ignores padding for output size checking

    Decode function returns an error even if the ouptut buffer is
    large enought because the padding was not considered. This
    case was never met with current code base.

For base64urldec(), it's basically the same problem except that since
the input format supports arbitrary lengths, the problem has always
been there since its introduction in 2.4.

This should be backported to all stable branches having a backport of
the patch above (i.e. 2.0), with some adjustments depending on the
availability of the base64dec() and base64urldec().
This commit is contained in:
Dragan Dosen 2021-08-24 09:48:04 +02:00 committed by Willy Tarreau
parent 76ad371b86
commit f3899ddbcb
1 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/base64.c
View File

@ -167,9 +167,12 @@ int base64dec(const char *in, size_t ilen, char *out, size_t olen) {
*/
/* xx000000 xx001111 xx111122 xx222222 */
out[convlen] = ((t[0] << 2) + (t[1] >> 4));
out[convlen+1] = ((t[1] << 4) + (t[2] >> 2));
out[convlen+2] = ((t[2] << 6) + (t[3] >> 0));
if (convlen < olen)
out[convlen] = ((t[0] << 2) + (t[1] >> 4));
if (convlen+1 < olen)
out[convlen+1] = ((t[1] << 4) + (t[2] >> 2));
if (convlen+2 < olen)
out[convlen+2] = ((t[2] << 6) + (t[3] >> 0));
convlen += 3-pad;
@ -237,9 +240,12 @@ int base64urldec(const char *in, size_t ilen, char *out, size_t olen)
*/
/* xx000000 xx001111 xx111122 xx222222 */
out[convlen] = ((t[0] << 2) + (t[1] >> 4));
out[convlen + 1] = ((t[1] << 4) + (t[2] >> 2));
out[convlen + 2] = ((t[2] << 6) + (t[3] >> 0));
if (convlen < olen)
out[convlen] = ((t[0] << 2) + (t[1] >> 4));
if (convlen+1 < olen)
out[convlen+1] = ((t[1] << 4) + (t[2] >> 2));
if (convlen+2 < olen)
out[convlen+2] = ((t[2] << 6) + (t[3] >> 0));
convlen += 3;
i = 0;