Passwords of length 16 not handled correctly

wlanmac wlan at mac.com
Tue Aug 11 05:06:43 UTC 2009


As discussed in IRC, all patches were committed. 

Wichert, if you send me a htpasswd encoded password and your choice of
usernames, I'll set you up for commit access in SVN.

Also, did you mention you knew off hand how to import this old mailing
list (based on qmail/ezmlm) to Mailman? I need to do that before this
server completely dies. 

Thanks,
David



On Mon, 2009-08-10 at 13:56 +0200, Wichert Akkerman wrote:
> I found another corner case in the password handling: normally passwords 
> are NUL-padded to be a multiple of 16 in length before the as part of 
> the PAP-obfuscation. chilli then decodes the obfuscated password and 
> ends up with a proper NUL-terminated string. However if a password is 
> exactly 16 characters, or a multiple thereof, long no NUL-padding 
> happens. As a result the password string chilli gets is never 
> NUL-terminated. The fix is easy: make sure the incoming password is 
> NUL-terminated so we can get a valid length for it and limit the decoded 
> password to strlen(conn->password) characters. I've attached a patch 
> with this change.
> 
> Wichert.
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: chilli-unsubscribe at coova.org
> For additional commands, e-mail: chilli-help at coova.org
> Wiki: http://coova.org/wiki/index.php/CoovaChilli
> Forum: http://coova.org/phpBB3/viewforum.php?f=4




More information about the Chilli mailing list