------------------------------------------------------------
revno: 12528
revision-id: squid3@treenet.co.nz-20130418053047-7kj11nug4pjq2re7
parent: squid3@treenet.co.nz-20130418052931-t4xhtz09kibo3ky0
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3825
author: Michal Luscon <mluscon@redhat.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.3
timestamp: Wed 2013-04-17 23:30:47 -0600
message:
  Bug 3825: basic_ncsa_auth segfaulting with glibc-2.17
  
  It appears the crypt() function may return NULL strings. Check for those
  before all strcmp() operations.
  
  NOTE: The MD5 output checks are probably not needed but since SquidMD5 is
  an object build-time switched between several encryption library API
  definitions it is better to be safe here as well.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130418053047-7kj11nug4pjq2re7
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# testament_sha1: 90939afd65be3c9d19a2684362fe3fdebd20b1aa
# timestamp: 2013-04-18 05:35:44 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# base_revision_id: squid3@treenet.co.nz-20130418052931-\
#   t4xhtz09kibo3ky0
# 
# Begin patch
=== modified file 'helpers/basic_auth/NCSA/basic_ncsa_auth.cc'
--- helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2012-11-18 11:34:56 +0000
+++ helpers/basic_auth/NCSA/basic_ncsa_auth.cc	2013-04-18 05:30:47 +0000
@@ -144,19 +144,20 @@
         rfc1738_unescape(user);
         rfc1738_unescape(passwd);
         u = (user_data *) hash_lookup(hash, user);
+        char *crypted = NULL;
         if (u == NULL) {
             SEND_ERR("No such user");
 #if HAVE_CRYPT
-        } else if (strlen(passwd) <= 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) <= 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_OK("");
-        } else if (strlen(passwd) > 8 && strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) {
+        } else if (strlen(passwd) > 8 && (crypted = crypt(passwd, u->passwd)) && (strcmp(u->passwd, crypted) == 0)) {
             // Bug 3107: crypt() DES functionality silently truncates long passwords.
             SEND_ERR("Password too long. Only 8 characters accepted.");
 #endif
-        } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) {
+        } else if ( (crypted = crypt_md5(passwd, u->passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
-        } else if (strcmp(u->passwd, (char *) md5sum(passwd)) == 0) {
+        } else if ( (crypted =  md5sum(passwd)) && strcmp(u->passwd, crypted) == 0) {
             SEND_OK("");
         } else {
             SEND_ERR("Wrong password");