mod_session_crypto: Sanity check should the potentially encrypted

author Graham Leggett <minfrin@apache.org>

Sun, 13 Sep 2009 16:04:13 +0000 (16:04 +0000)

committer Graham Leggett <minfrin@apache.org>

Sun, 13 Sep 2009 16:04:13 +0000 (16:04 +0000)
author Graham Leggett <minfrin@apache.org>
Sun, 13 Sep 2009 16:04:13 +0000 (16:04 +0000)
committer Graham Leggett <minfrin@apache.org>
Sun, 13 Sep 2009 16:04:13 +0000 (16:04 +0000)
diff --git a/CHANGES b/CHANGES

index fcf3ac75610ac51b96221212a349ab66538689e8..f1fe99907474e9c22fdcbf663738c35b3ad1f72e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
  
  Changes with Apache 2.3.3
  
+  *) mod_session_crypto: Sanity check should the potentially encrypted
+     session cookie be too short. [Graham Leggett]
+
    *) mod_session.c: Prevent a segfault when session is added but not
       configured. [Graham Leggett]
  
diff --git a/modules/session/mod_session_crypto.c b/modules/session/mod_session_crypto.c

index 080c108dbef39b0054929a8b86c08746c81602c8..ab7980d1dd81aff997d9f2fd810f72611ebe1c32 100644 (file)
--- a/modules/session/mod_session_crypto.c
+++ b/modules/session/mod_session_crypto.c
@@ -225,6 +225,13 @@ static apr_status_t decrypt_string(request_rec * r, const apr_crypto_driver_t *d
          return res;
      }
  
+    /* sanity check - decoded too short? */
+    if (decodedlen < (sizeof(apr_uuid_t) + ivSize)) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, APR_SUCCESS, r, LOG_PREFIX
+                "too short to decrypt, skipping");
+        return APR_ECRYPT;
+    }
+
      /* bypass the salt at the start of the decoded block */
      decoded += sizeof(apr_uuid_t);
      decodedlen -= sizeof(apr_uuid_t);
author	Graham Leggett <minfrin@apache.org>
	Sun, 13 Sep 2009 16:04:13 +0000 (16:04 +0000)
committer	Graham Leggett <minfrin@apache.org>
	Sun, 13 Sep 2009 16:04:13 +0000 (16:04 +0000)
CHANGES		patch \| blob \| history
modules/session/mod_session_crypto.c		patch \| blob \| history