blob: 00062691a7af68787251502eda56af00805f2bde (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
From 8b5ecd226f9208af3074b33d3b7cf5e14f55b138 Mon Sep 17 00:00:00 2001
From: Manuel Nickschas <sputnick@quassel-irc.org>
Date: Tue, 21 Oct 2014 21:20:07 +0200
Subject: [PATCH] Check for invalid input in encrypted buffers
The ECB Blowfish decryption function assumed that encrypted input would
always come in blocks of 12 characters, as specified. However, buggy
clients or annoying people may not adhere to that assumption, causing
the core to crash while trying to process the invalid base64 input.
With this commit we make sure that we're not overstepping the bounds of
the input string while decoding it; instead we bail out early and display
the original input. Fixes #1314.
Thanks to Tucos for finding that one!
---
src/core/cipher.cpp | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/core/cipher.cpp b/src/core/cipher.cpp
index 7cc75d0..7d1fe46 100644
--- a/src/core/cipher.cpp
+++ b/src/core/cipher.cpp
@@ -364,6 +364,10 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
}
else
{
+ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
+ if ((temp.length() % 12) != 0)
+ return cipherText;
+
temp = b64ToByte(temp);
while ((temp.length() % 8) != 0) temp.append('\0');
}
@@ -376,8 +380,13 @@ QByteArray Cipher::blowfishECB(QByteArray cipherText, bool direction)
if (!cipher.ok())
return cipherText;
- if (direction)
+ if (direction) {
+ // Sanity check
+ if ((temp2.length() % 8) != 0)
+ return cipherText;
+
temp2 = byteToB64(temp2);
+ }
return temp2;
}
|
