geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Security Audit 5.5: Check length of message to be within range.

Browse Source
This commit is contained in:
Jim Norman 2006-04-26 16:29:13 +00:00
parent d8ad2aab45
commit 8230adb2d6
3 changed files with 160 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CASA.changes
View File

@ -1,3 +1,7 @@
-------------------------------------------------------------------
Wed Apr 26 10:26:20 MST 2006 - jnorman@novell.com
- Security Audit 5.5: Check length of message to be within range.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 26 09:10:20 MST 2006 - jnorman@novell.com Wed Apr 26 09:10:20 MST 2006 - jnorman@novell.com
- Security Audit 5.13: Ensure that string lengths are within limits - Security Audit 5.13: Ensure that string lengths are within limits

4
c_micasad/init/WinSecretStoreClientService.cs
View File

@ -145,7 +145,7 @@ namespace sscs.init
} }
catch (Exception e) catch (Exception e)
{ {
Console.WriteLine(e.ToString()); System.Diagnostics.Debug.WriteLine(e.ToString());
} }
} }
@ -177,7 +177,7 @@ namespace sscs.init
} }
catch (Exception e) catch (Exception e)
{ {
Console.WriteLine(e.ToString()); System.Diagnostics.Debug.WriteLine(e.ToString());
} }
} }

262
c_micasad/verbs/ObjectSerialization.cs
View File

@ -79,16 +79,15 @@ namespace sscs.verbs
msgId = BitConverter.ToUInt16(inBuf,0); msgId = BitConverter.ToUInt16(inBuf,0);
inMsgLen = BitConverter.ToUInt32(inBuf,2); inMsgLen = BitConverter.ToUInt32(inBuf,2);
//Console.WriteLine("Serialization verb: msgId is " + msgId + " inMsgLen = " + inMsgLen + "inBuf.Length is " + inBuf.Length); // check inMsgLen
if ((inMsgLen < 6) || (inMsgLen > 65535))
// if( inMsgLen != inBuf.Length ) {
// Console.WriteLine("inMsgLen != inBuf.Length"); throw new FormatException(" MsgLen invalid.");
// throw new FormatException(" MsgLen sent does not match the length of the message received."); }
// deserialize the data // deserialize the data
BinaryFormatter formatter = new BinaryFormatter(); BinaryFormatter formatter = new BinaryFormatter();
MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen - 6); MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen - 6);
// MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen);
WrappedObject request; WrappedObject request;
WrappedObject reply; WrappedObject reply;
@ -121,111 +120,110 @@ namespace sscs.verbs
internal WrappedObject ProcessMessage(WrappedObject wo, UserIdentifier userId) internal WrappedObject ProcessMessage(WrappedObject wo, UserIdentifier userId)
{ {
//Console.WriteLine("ObjectSerialization Called");
SecretStore ssStore = SessionManager.CreateUserSession(userId); SecretStore ssStore = SessionManager.CreateUserSession(userId);
try try
{
int action = wo.GetAction();
switch (action)
{ {
int action = wo.GetAction(); case MiCasaRequestReply.VERB_PING_MICASAD:
switch (action)
{ {
case MiCasaRequestReply.VERB_PING_MICASAD: return DoPing(wo);
{ }
return DoPing(wo);
}
case MiCasaRequestReply.VERB_SET_LINKED_KEY: case MiCasaRequestReply.VERB_SET_LINKED_KEY:
{ {
return DoSetLinkedKey(ssStore, wo); return DoSetLinkedKey(ssStore, wo);
} }
case MiCasaRequestReply.VERB_REMOVE_LINKED_KEY: case MiCasaRequestReply.VERB_REMOVE_LINKED_KEY:
{ {
return DoRemoveLinkedKey(ssStore, wo); return DoRemoveLinkedKey(ssStore, wo);
} }
case MiCasaRequestReply.VERB_GET_LINKED_KEYS: case MiCasaRequestReply.VERB_GET_LINKED_KEYS:
{ {
return DoGetLinkedKeys(ssStore, wo); return DoGetLinkedKeys(ssStore, wo);
} }
case MiCasaRequestReply.VERB_CREATE_TEST_SECRETS: case MiCasaRequestReply.VERB_CREATE_TEST_SECRETS:
{ {
return DoCreateTestSecrets(ssStore, wo); return DoCreateTestSecrets(ssStore, wo);
} }
case MiCasaRequestReply.VERB_REMOVE_TEST_SECRETS: case MiCasaRequestReply.VERB_REMOVE_TEST_SECRETS:
{ {
return DoRemoveTestSecrets(ssStore, wo); return DoRemoveTestSecrets(ssStore, wo);
} }
case MiCasaRequestReply.VERB_DUMP_LINKED_KEYS: case MiCasaRequestReply.VERB_DUMP_LINKED_KEYS:
{ {
return DoDumpLinkedKeys(ssStore, wo); return DoDumpLinkedKeys(ssStore, wo);
} }
case MiCasaRequestReply.VERB_WRITE_KEY: case MiCasaRequestReply.VERB_WRITE_KEY:
{ {
return DoWriteKey(ssStore, wo); return DoWriteKey(ssStore, wo);
} }
case MiCasaRequestReply.VERB_LOCK_STORE: case MiCasaRequestReply.VERB_LOCK_STORE:
{ {
ssStore.LockStore(); ssStore.LockStore();
return wo; return wo;
} }
case MiCasaRequestReply.VERB_UNLOCK_STORE: case MiCasaRequestReply.VERB_UNLOCK_STORE:
{ {
return DoUnlockStore(ssStore, wo); return DoUnlockStore(ssStore, wo);
} }
case MiCasaRequestReply.VERB_REMOVE_ALL_SECRETS: case MiCasaRequestReply.VERB_REMOVE_ALL_SECRETS:
{ {
// stop persistence // stop persistence
//ssStore.StopPersistence(); //ssStore.StopPersistence();
// remove secrets // remove secrets
return DoRemoveAllSecrets(ssStore, wo); return DoRemoveAllSecrets(ssStore, wo);
} }
case MiCasaRequestReply.VERB_GET_STORE_STATUS: case MiCasaRequestReply.VERB_GET_STORE_STATUS:
{ {
wo.SetObject(ssStore.GetSecretStoreState()); wo.SetObject(ssStore.GetSecretStoreState());
return wo; return wo;
} }
case MiCasaRequestReply.VERB_REMOVE_KEY: case MiCasaRequestReply.VERB_REMOVE_KEY:
{ {
return DoRemoveKey(ssStore, wo); return DoRemoveKey(ssStore, wo);
} }
case MiCasaRequestReply.VERB_READ_KEY: case MiCasaRequestReply.VERB_READ_KEY:
{ {
return DoReadKey(ssStore, wo); return DoReadKey(ssStore, wo);
} }
case MiCasaRequestReply.VERB_GET_KEY_LIST: case MiCasaRequestReply.VERB_GET_KEY_LIST:
{ {
return DoGetKeyList(ssStore, wo); return DoGetKeyList(ssStore, wo);
} }
case MiCasaRequestReply.VERB_RESET_MASTER_PASSWORD: case MiCasaRequestReply.VERB_RESET_MASTER_PASSWORD:
{ {
return DoResetMasterPassword(ssStore, wo); return DoResetMasterPassword(ssStore, wo);
} }
case MiCasaRequestReply.VERB_GET_SECRETIDS: case MiCasaRequestReply.VERB_GET_SECRETIDS:
{ {
return DoGetSecretIDs(ssStore, wo); return DoGetSecretIDs(ssStore, wo);
} }
default: default:
{ {
wo.SetError(constants.RetCodes.FAILURE, "Verb Not Supported"); wo.SetError(constants.RetCodes.FAILURE, "Verb Not Supported");
return wo; return wo;
}
} }
} }
catch (Exception e) }
{ catch (Exception e)
wo.SetError(constants.RetCodes.FAILURE, e.ToString()); {
} wo.SetError(constants.RetCodes.FAILURE, e.ToString());
}
return wo; return wo;
@ -248,9 +246,9 @@ namespace sscs.verbs
IDictionaryEnumerator etor = (IDictionaryEnumerator)kc.GetAllSecrets(); IDictionaryEnumerator etor = (IDictionaryEnumerator)kc.GetAllSecrets();
while(etor.MoveNext()) while(etor.MoveNext())
{ {
string sID = (string)etor.Key; string sID = (string)etor.Key;
sID = sID.Substring(0, sID.Length - 1); sID = sID.Substring(0, sID.Length - 1);
sc.Add(UnescapeID(sID)); sc.Add(UnescapeID(sID));
} }
} }
} }
@ -315,13 +313,13 @@ namespace sscs.verbs
Secret secret = null; Secret secret = null;
if( keyChain.CheckIfSecretExists(secretID) == false) if( keyChain.CheckIfSecretExists(secretID) == false)
{ {
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist"); wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
} }
else else
{ {
secret = keyChain.GetSecret(secretID); secret = keyChain.GetSecret(secretID);
secret.RemoveKeyValue(keyChain, keyID); secret.RemoveKeyValue(keyChain, keyID);
wo.SetError(constants.RetCodes.SUCCESS, null); wo.SetError(constants.RetCodes.SUCCESS, null);
ssStore.UpdatePersistentStore(); ssStore.UpdatePersistentStore();
} }
} }
@ -384,22 +382,22 @@ namespace sscs.verbs
Secret secret = null; Secret secret = null;
if( keyChain.CheckIfSecretExists(secretID) == false) if( keyChain.CheckIfSecretExists(secretID) == false)
{ {
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist"); wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
} }
else else
{ {
secret = keyChain.GetSecret(secretID); secret = keyChain.GetSecret(secretID);
if( null != secret ) if( null != secret )
{ {
ArrayList keyList = secret.GetKeyList(); ArrayList keyList = secret.GetKeyList();
wo.SetObject(keyList); wo.SetObject(keyList);
wo.SetError(constants.RetCodes.SUCCESS, null); wo.SetError(constants.RetCodes.SUCCESS, null);
} }
} }
} }
catch (Exception e) catch (Exception e)
{ {
wo.SetError(constants.RetCodes.FAILURE, e.ToString()); wo.SetError(constants.RetCodes.FAILURE, e.ToString());
} }
return wo; return wo;
@ -446,7 +444,7 @@ namespace sscs.verbs
} }
else else
wo.SetError(constants.RetCodes.FAILURE, "Store locked"); wo.SetError(constants.RetCodes.FAILURE, "Store locked");
return wo; return wo;
@ -909,31 +907,31 @@ namespace sscs.verbs
} }
*/ */
private static string UnescapeID(string sOrig) private static string UnescapeID(string sOrig)
{ {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
for (int i = 0; i < sOrig.Length; i++) for (int i = 0; i < sOrig.Length; i++)
{ {
if (sOrig[i] == ('\\')) if (sOrig[i] == ('\\'))
{ {
if (i + 1 < sOrig.Length) if (i + 1 < sOrig.Length)
{ {
if (sOrig[i + 1] == (':') if (sOrig[i + 1] == (':')
|| sOrig[i + 1] == ('\\') || sOrig[i + 1] == ('\\')
|| sOrig[i + 1] == ('=')) || sOrig[i + 1] == ('='))
{ {
sb.Append(sOrig[i + 1]); sb.Append(sOrig[i + 1]);
i++; i++;
} }
} }
else else
sb.Append(sOrig[i]); sb.Append(sOrig[i]);
} }
else else
sb.Append(sOrig[i]); sb.Append(sOrig[i]);
} }
return sb.ToString(); return sb.ToString();
} }
public string GetVerbName() public string GetVerbName()
{ {
CSSSLogger.ExecutionTrace(this); CSSSLogger.ExecutionTrace(this);