geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Security Audit 5.5: Check length of message to be within range.

Browse Source
This commit is contained in:
Jim Norman 2006-04-26 16:29:13 +00:00
parent d8ad2aab45
commit 8230adb2d6
3 changed files with 160 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CASA.changes
View File

@ -1,3 +1,7 @@
-------------------------------------------------------------------
Wed Apr 26 10:26:20 MST 2006 - jnorman@novell.com
- Security Audit 5.5: Check length of message to be within range.
-------------------------------------------------------------------
Wed Apr 26 09:10:20 MST 2006 - jnorman@novell.com
- Security Audit 5.13: Ensure that string lengths are within limits

6
c_micasad/init/WinSecretStoreClientService.cs
View File

@ -144,8 +144,8 @@ namespace sscs.init
ti.Install ( new Hashtable ());
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
{
System.Diagnostics.Debug.WriteLine(e.ToString());
}
}
@ -177,7 +177,7 @@ namespace sscs.init
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
System.Diagnostics.Debug.WriteLine(e.ToString());
}
}

308
c_micasad/verbs/ObjectSerialization.cs
View File

@ -79,16 +79,15 @@ namespace sscs.verbs
msgId = BitConverter.ToUInt16(inBuf,0);
inMsgLen = BitConverter.ToUInt32(inBuf,2);
//Console.WriteLine("Serialization verb: msgId is " + msgId + " inMsgLen = " + inMsgLen + "inBuf.Length is " + inBuf.Length);
// check inMsgLen
if ((inMsgLen < 6) || (inMsgLen > 65535))
{
throw new FormatException(" MsgLen invalid.");
}
// if( inMsgLen != inBuf.Length )
// Console.WriteLine("inMsgLen != inBuf.Length");
// throw new FormatException(" MsgLen sent does not match the length of the message received.");
// deserialize the data
BinaryFormatter formatter = new BinaryFormatter();
MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen - 6);
// MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen);
MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen - 6);
WrappedObject request;
WrappedObject reply;
@ -120,112 +119,111 @@ namespace sscs.verbs
internal WrappedObject ProcessMessage(WrappedObject wo, UserIdentifier userId)
{
//Console.WriteLine("ObjectSerialization Called");
SecretStore ssStore = SessionManager.CreateUserSession(userId);
try
{
int action = wo.GetAction();
switch (action)
{
case MiCasaRequestReply.VERB_PING_MICASAD:
{
return DoPing(wo);
}
case MiCasaRequestReply.VERB_SET_LINKED_KEY:
{
return DoSetLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_LINKED_KEY:
{
return DoRemoveLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_LINKED_KEYS:
{
return DoGetLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_CREATE_TEST_SECRETS:
{
return DoCreateTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_TEST_SECRETS:
{
return DoRemoveTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_DUMP_LINKED_KEYS:
{
return DoDumpLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_WRITE_KEY:
{
return DoWriteKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_LOCK_STORE:
{
ssStore.LockStore();
return wo;
}
case MiCasaRequestReply.VERB_UNLOCK_STORE:
{
return DoUnlockStore(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_ALL_SECRETS:
{
// stop persistence
//ssStore.StopPersistence();
// remove secrets
return DoRemoveAllSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_STORE_STATUS:
{
wo.SetObject(ssStore.GetSecretStoreState());
return wo;
}
case MiCasaRequestReply.VERB_REMOVE_KEY:
{
return DoRemoveKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_READ_KEY:
{
return DoReadKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_KEY_LIST:
{
return DoGetKeyList(ssStore, wo);
}
case MiCasaRequestReply.VERB_RESET_MASTER_PASSWORD:
{
return DoResetMasterPassword(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_SECRETIDS:
{
return DoGetSecretIDs(ssStore, wo);
}
default:
{
wo.SetError(constants.RetCodes.FAILURE, "Verb Not Supported");
return wo;
}
}
}
catch (Exception e)
try
{
int action = wo.GetAction();
switch (action)
{
wo.SetError(constants.RetCodes.FAILURE, e.ToString());
}
case MiCasaRequestReply.VERB_PING_MICASAD:
{
return DoPing(wo);
}
case MiCasaRequestReply.VERB_SET_LINKED_KEY:
{
return DoSetLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_LINKED_KEY:
{
return DoRemoveLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_LINKED_KEYS:
{
return DoGetLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_CREATE_TEST_SECRETS:
{
return DoCreateTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_TEST_SECRETS:
{
return DoRemoveTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_DUMP_LINKED_KEYS:
{
return DoDumpLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_WRITE_KEY:
{
return DoWriteKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_LOCK_STORE:
{
ssStore.LockStore();
return wo;
}
case MiCasaRequestReply.VERB_UNLOCK_STORE:
{
return DoUnlockStore(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_ALL_SECRETS:
{
// stop persistence
//ssStore.StopPersistence();
// remove secrets
return DoRemoveAllSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_STORE_STATUS:
{
wo.SetObject(ssStore.GetSecretStoreState());
return wo;
}
case MiCasaRequestReply.VERB_REMOVE_KEY:
{
return DoRemoveKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_READ_KEY:
{
return DoReadKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_KEY_LIST:
{
return DoGetKeyList(ssStore, wo);
}
case MiCasaRequestReply.VERB_RESET_MASTER_PASSWORD:
{
return DoResetMasterPassword(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_SECRETIDS:
{
return DoGetSecretIDs(ssStore, wo);
}
default:
{
wo.SetError(constants.RetCodes.FAILURE, "Verb Not Supported");
return wo;
}
}
}
catch (Exception e)
{
wo.SetError(constants.RetCodes.FAILURE, e.ToString());
}
return wo;
@ -245,12 +243,12 @@ namespace sscs.verbs
StringCollection sc = (StringCollection)wo.GetObject();
if (sc != null)
{
IDictionaryEnumerator etor = (IDictionaryEnumerator)kc.GetAllSecrets();
while(etor.MoveNext())
{
string sID = (string)etor.Key;
sID = sID.Substring(0, sID.Length - 1);
sc.Add(UnescapeID(sID));
IDictionaryEnumerator etor = (IDictionaryEnumerator)kc.GetAllSecrets();
while(etor.MoveNext())
{
string sID = (string)etor.Key;
sID = sID.Substring(0, sID.Length - 1);
sc.Add(UnescapeID(sID));
}
}
}
@ -315,13 +313,13 @@ namespace sscs.verbs
Secret secret = null;
if( keyChain.CheckIfSecretExists(secretID) == false)
{
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
}
else
{
secret = keyChain.GetSecret(secretID);
secret.RemoveKeyValue(keyChain, keyID);
wo.SetError(constants.RetCodes.SUCCESS, null);
secret.RemoveKeyValue(keyChain, keyID);
wo.SetError(constants.RetCodes.SUCCESS, null);
ssStore.UpdatePersistentStore();
}
}
@ -384,22 +382,22 @@ namespace sscs.verbs
Secret secret = null;
if( keyChain.CheckIfSecretExists(secretID) == false)
{
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
}
else
{
secret = keyChain.GetSecret(secretID);
if( null != secret )
{
ArrayList keyList = secret.GetKeyList();
wo.SetObject(keyList);
wo.SetError(constants.RetCodes.SUCCESS, null);
}
if( null != secret )
{
ArrayList keyList = secret.GetKeyList();
wo.SetObject(keyList);
wo.SetError(constants.RetCodes.SUCCESS, null);
}
}
}
catch (Exception e)
{
wo.SetError(constants.RetCodes.FAILURE, e.ToString());
wo.SetError(constants.RetCodes.FAILURE, e.ToString());
}
return wo;
@ -446,7 +444,7 @@ namespace sscs.verbs
}
else
wo.SetError(constants.RetCodes.FAILURE, "Store locked");
wo.SetError(constants.RetCodes.FAILURE, "Store locked");
return wo;
@ -907,33 +905,33 @@ namespace sscs.verbs
}
return wo;
}
*/
private static string UnescapeID(string sOrig)
{
StringBuilder sb = new StringBuilder();
for (int i = 0; i < sOrig.Length; i++)
{
if (sOrig[i] == ('\\'))
{
if (i + 1 < sOrig.Length)
{
if (sOrig[i + 1] == (':')
|| sOrig[i + 1] == ('\\')
|| sOrig[i + 1] == ('='))
{
sb.Append(sOrig[i + 1]);
i++;
}
}
else
sb.Append(sOrig[i]);
}
else
sb.Append(sOrig[i]);
}
return sb.ToString();
}
*/
private static string UnescapeID(string sOrig)
{
StringBuilder sb = new StringBuilder();
for (int i = 0; i < sOrig.Length; i++)
{
if (sOrig[i] == ('\\'))
{
if (i + 1 < sOrig.Length)
{
if (sOrig[i + 1] == (':')
|| sOrig[i + 1] == ('\\')
|| sOrig[i + 1] == ('='))
{
sb.Append(sOrig[i + 1]);
i++;
}
}
else
sb.Append(sOrig[i]);
}
else
sb.Append(sOrig[i]);
}
return sb.ToString();
}
public string GetVerbName()
{
CSSSLogger.ExecutionTrace(this);