1 |
From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001 |
2 |
From: Manuel Nickschas <sputnick@quassel-irc.org> |
3 |
Date: Tue, 21 Oct 2014 21:20:07 +0200 |
4 |
Subject: [PATCH] Check for invalid input in encrypted buffers |
5 |
|
6 |
The ECB Blowfish decryption function assumed that encrypted input would |
7 |
always come in blocks of 12 characters, as specified. However, buggy |
8 |
clients or annoying people may not adhere to that assumption, causing |
9 |
the core to crash while trying to process the invalid base64 input. |
10 |
|
11 |
With this commit we make sure that we're not overstepping the bounds of |
12 |
the input string while decoding it; instead we bail out early and display |
13 |
the original input. Fixes #1314. |
14 |
|
15 |
Thanks to Tucos for finding that one! |
16 |
--- |
17 |
src/core/cipher.cpp | 11 ++++++++++- |
18 |
1 file changed, 10 insertions(+), 1 deletion(-) |
19 |
|
20 |
diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp |
21 |
index 7cc75d0..7d1fe46 100644 |
22 |
--- a/src/core/cipher.cpp |
23 |
+++ b/src/core/cipher.cpp |
24 |
@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) |
25 |
} |
26 |
else |
27 |
{ |
28 |
+ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input |
29 |
+ if ((temp.length() % 12) != 0) |
30 |
+ return cipherText; |
31 |
+ |
32 |
temp = b64ToByte(temp); |
33 |
while ((temp.length() % 8) != 0) temp.append('\0'); |
34 |
} |
35 |
@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) |
36 |
if (!cipher.ok()) |
37 |
return cipherText; |
38 |
|
39 |
- if (direction) |
40 |
+ if (direction) { |
41 |
+ // Sanity check |
42 |
+ if ((temp2.length() % 8) != 0) |
43 |
+ return cipherText; |
44 |
+ |
45 |
temp2 = byteToB64(temp2); |
46 |
+ } |
47 |
|
48 |
return temp2; |
49 |
} |