Description: Fix for CVE-2018-12551
Author: Roger Light <roger@atchoo.org>
Forwarded: not-needed
Origin: upstream, https://mosquitto.org/files/cve/2018-12551/mosquitto-1.4.x_cve-2018-12551.patch
Index: mosquitto-1.4.10/src/security_default.c
===================================================================
--- mosquitto-1.4.10.orig/src/security_default.c
+++ mosquitto-1.4.10/src/security_default.c
@@ -556,6 +556,9 @@ static int _pwfile_parse(const char *fil
 
 	while(!feof(pwfile)){
 		if(fgets(buf, 256, pwfile)){
+			if(buf[0] == '#') continue;
+			if(!strchr(buf, ':')) continue;
+
 			username = strtok_r(buf, ":", &saveptr);
 			if(username){
 				unpwd = _mosquitto_calloc(1, sizeof(struct _mosquitto_unpwd));
@@ -588,8 +591,13 @@ static int _pwfile_parse(const char *fil
 						unpwd->password[len-1] = '\0';
 						len = strlen(unpwd->password);
 					}
+
+					HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
+				}else{
+					_mosquitto_log_printf(NULL, MOSQ_LOG_NOTICE, "Warning: Invalid line in password file '%s': %s", file, buf);
+					_mosquitto_free(unpwd->username);
+					_mosquitto_free(unpwd);
 				}
-				HASH_ADD_KEYPTR(hh, *root, unpwd->username, strlen(unpwd->username), unpwd);
 			}
 		}
 	}
@@ -626,34 +634,39 @@ static int _unpwd_file_parse(struct mosq
 				token = strtok(NULL, "$");
 				if(token){
 					rc = _base64_decode(token, &salt, &salt_len);
-					if(rc){
-						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s.", u->username);
-						return MOSQ_ERR_INVAL;
-					}
-					u->salt = salt;
-					u->salt_len = salt_len;
-					token = strtok(NULL, "$");
-					if(token){
-						rc = _base64_decode(token, &password, &password_len);
-						if(rc){
-							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s.", u->username);
-							return MOSQ_ERR_INVAL;
+					if(rc == MOSQ_ERR_SUCCESS && salt_len == 12){
+						u->salt = salt;
+						u->salt_len = salt_len;
+						token = strtok(NULL, "$");
+						if(token){
+							rc = _base64_decode(token, &password, &password_len);
+							if(rc == MOSQ_ERR_SUCCESS && password_len == 64){
+								_mosquitto_free(u->password);
+								u->password = (char *)password;
+								u->password_len = password_len;
+							}else{
+								_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password for user %s, removing entry.", u->username);
+								HASH_DEL(db->unpwd, u);
+							}
+						}else{
+							_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
+							HASH_DEL(db->unpwd, u);
 						}
-						_mosquitto_free(u->password);
-						u->password = (char *)password;
-						u->password_len = password_len;
 					}else{
-						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
-						return MOSQ_ERR_INVAL;
+						_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Unable to decode password salt for user %s, removing entry.", u->username);
+						HASH_DEL(db->unpwd, u);
 					}
 				}else{
-					_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
-					return MOSQ_ERR_INVAL;
+					_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
+					HASH_DEL(db->unpwd, u);
 				}
 			}else{
-				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s.", u->username);
-				return MOSQ_ERR_INVAL;
+				_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Invalid password hash for user %s, removing entry.", u->username);
+				HASH_DEL(db->unpwd, u);
 			}
+		}else{
+			_mosquitto_log_printf(NULL, MOSQ_LOG_ERR, "Error: Missing password hash for user %s, removing entry.", u->username);
+			HASH_DEL(db->unpwd, u);
 		}
 	}
 #endif