| 1 |
From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001 |
| 2 |
From: Manuel Nickschas <sputnick@quassel-irc.org> |
| 3 |
Date: Tue, 21 Oct 2014 21:20:07 +0200 |
| 4 |
Subject: [PATCH] Check for invalid input in encrypted buffers |
| 5 |
|
| 6 |
The ECB Blowfish decryption function assumed that encrypted input would |
| 7 |
always come in blocks of 12 characters, as specified. However, buggy |
| 8 |
clients or annoying people may not adhere to that assumption, causing |
| 9 |
the core to crash while trying to process the invalid base64 input. |
| 10 |
|
| 11 |
With this commit we make sure that we're not overstepping the bounds of |
| 12 |
the input string while decoding it; instead we bail out early and display |
| 13 |
the original input. Fixes #1314. |
| 14 |
|
| 15 |
Thanks to Tucos for finding that one! |
| 16 |
--- |
| 17 |
src/core/cipher.cpp | 11 ++++++++++- |
| 18 |
1 file changed, 10 insertions(+), 1 deletion(-) |
| 19 |
|
| 20 |
diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp |
| 21 |
index 7cc75d0..7d1fe46 100644 |
| 22 |
--- a/src/core/cipher.cpp |
| 23 |
+++ b/src/core/cipher.cpp |
| 24 |
@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) |
| 25 |
} |
| 26 |
else |
| 27 |
{ |
| 28 |
+ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input |
| 29 |
+ if ((temp.length() % 12) != 0) |
| 30 |
+ return cipherText; |
| 31 |
+ |
| 32 |
temp = b64ToByte(temp); |
| 33 |
while ((temp.length() % 8) != 0) temp.append('\0'); |
| 34 |
} |
| 35 |
@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction) |
| 36 |
if (!cipher.ok()) |
| 37 |
return cipherText; |
| 38 |
|
| 39 |
- if (direction) |
| 40 |
+ if (direction) { |
| 41 |
+ // Sanity check |
| 42 |
+ if ((temp2.length() % 8) != 0) |
| 43 |
+ return cipherText; |
| 44 |
+ |
| 45 |
temp2 = byteToB64(temp2); |
| 46 |
+ } |
| 47 |
|
| 48 |
return temp2; |
| 49 |
} |
Parent Directory
| 
Revision Log