------------------------------------------------------------
revno: 11805
revision-id: squid3@treenet.co.nz-20130426040648-s73lt0mx9i579lnj
parent: squid3@treenet.co.nz-20130329065415-egjdtzsxbr5wxriu
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3825
author: Michal Luscon <mluscon@redhat.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.2
timestamp: Thu 2013-04-25 22:06:48 -0600
message:
  Bug 3825: basic_ncsa_auth segfaulting with glibc-2.17
  
  It appears the crypt() function may return NULL strings. Check for those
  before all strcmp() operations.
  
  NOTE: The MD5 output checks are probably not needed but since SquidMD5 is
  an object build-time switched between several encryption library API
  definitions it is better to be safe here as well.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130426040648-s73lt0mx9i579lnj
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# testament_sha1: a90c0b0e3983e2e1a70021fc4c8d990264a78f91
# timestamp: 2013-04-26 04:14:09 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
#   /SQUID_3_2
# base_revision_id: squid3@treenet.co.nz-20130329065415-\
#   egjdtzsxbr5wxriu
# 
# Begin patch
=== modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.cc'
--- helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2012-11-26 08:32:53 +0000
+++ helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2013-04-26 04:06:48 +0000
@@ -144,19 +144,20 @@
         rfc1738_unescape(user);
         rfc1738_unescape(passwd);
         u = (user_data *) hash_lookup(hash, user);
+        char *crypted = NULL;
         if (u == NULL) {
             SEND_ERR("No such user");
 #if HAVE_CRYPT
-        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_OK("");
-        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_ERR("Password too long. Only 8 characters accepted.");
 #endif
-        } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
+        } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
-        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
+        } else if ( (crypted =  md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
         } else {
             SEND_ERR("Wrong password");