Bug 191511 - opiepasswd(1) segfaults with a seed length > 12
Summary: opiepasswd(1) segfaults with a seed length > 12
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-30 10:25 UTC by mitsururike
Modified: 2015-07-08 18:02 UTC (History)
1 user (show)

See Also:
bugmeister: mfc-stable10?
bugmeister: mfc-stable9?
bugmeister: mfc-stable8?


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mitsururike 2014-06-30 10:25:02 UTC
opiepasswd segfaults with a seed length > 12

" ext" is added to the challenge in libopie/challenge.c but it is not
included in the calculation of the OPIE_CHALLENGE_MAX in opie.h.
Falling back to randomchallenge() and clearing mp causes segfault in
opieatob8().

Environment:
System: FreeBSD 10.0-RELEASE-p4 amd64

How-To-Repeat:
opiepasswd -s 0123456789012

Fix:
--- opie.h.dist	2014-06-30 16:53:37.000000000 +0900
+++ opie.h	2014-06-30 16:53:55.000000000 +0900
@@ -72,8 +72,8 @@
 /* Max length of hash algorithm name (md4/md5) */
 #define OPIE_HASHNAME_MAX 3
 
-/* Maximum length of a challenge (otp-md? 9999 seed) */
-#define OPIE_CHALLENGE_MAX (4+OPIE_HASHNAME_MAX+1+4+1+OPIE_SEED_MAX)
+/* Maximum length of a challenge (otp-md? 9999 seed ext) */
+#define OPIE_CHALLENGE_MAX (4+OPIE_HASHNAME_MAX+1+4+1+OPIE_SEED_MAX+4)
 
 /* Maximum length of a response that we allow */
 #define OPIE_RESPONSE_MAX (9+1+19+1+9+OPIE_SEED_MAX+1+19+1+19+1+19)
Comment 1 commit-hook freebsd_committer 2014-08-11 12:27:00 UTC
A commit references this bug:

Author: ache
Date: Mon Aug 11 12:26:49 UTC 2014
New revision: 269806
URL: http://svnweb.freebsd.org/changeset/base/269806

Log:
  Fix too long (seed length >12 chars) challenge handling.
  1) " ext" length should be included into OPIE_CHALLENGE_MAX (as all places
  of opie code expects that).
  2) Overflow check in challenge.c is off by 1 even with corrected
  OPIE_CHALLENGE_MAX
  3) When fallback to randomchallenge() happens and rval is 0 (i.e.
  challenge is too long), its value should be set to error state too.

  To demonstrate the bug, run opiepasswd with valid seed:
  opiepasswd -s 1234567890123456
  and notice that it falls back to randomchallenge() (i.e. no
  1234567890123456 in the prompt).

  PR:             191511
  Submitted by:   mitsururike@gmail.com (partially)
  MFC after:      1 week

Changes:
  head/contrib/opie/libopie/challenge.c
  head/contrib/opie/opie.h
Comment 2 commit-hook freebsd_committer 2014-08-18 02:14:39 UTC
A commit references this bug:

Author: ache
Date: Mon Aug 18 02:13:46 UTC 2014
New revision: 270120
URL: http://svnweb.freebsd.org/changeset/base/270120

Log:
  MFC: r269806,r269809,r269811,r269810

  r269806:
  Fix too long (seed length >12 chars) challenge handling.
  1) " ext" length should be included into OPIE_CHALLENGE_MAX (as all places
  of opie code expects that).
  2) Overflow check in challenge.c is off by 1 even with corrected
  OPIE_CHALLENGE_MAX
  3) When fallback to randomchallenge() happens and rval is 0 (i.e.
  challenge is too long), its value should be set to error state too.

  To demonstrate the bug, run opiepasswd with valid seed:
  opiepasswd -s 1234567890123456
  and notice that it falls back to randomchallenge() (i.e. no
  1234567890123456 in the prompt).

  r269809:
  When sha1 support was added, they forget to increase OPIE_HASHNAME_MAX

  r269811:
  Last '/' for program name, not first one.

  r269810:
  Link otp-sha1 to match real challenge prompt, not otp-sha.

  PR:     191511
  Submitted by: mitsururike@gmail.com (partially, PR 269806)

Changes:
_U  stable/10/
  stable/10/contrib/opie/libopie/challenge.c
  stable/10/contrib/opie/opie.h
  stable/10/contrib/opie/opiekey.c
  stable/10/usr.bin/opiekey/Makefile
Comment 3 Andrey A. Chernov freebsd_committer 2014-10-19 19:36:07 UTC
Buffer size change (and resulted library major bump) backed out in -stable and 10x due to ABI breakage.
Comment 4 Glen Barber freebsd_committer 2015-07-08 18:02:31 UTC
Close PRs that have had a corresponding fix committed.