geos_one/CASA
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Security Audit 5.5: Check length of message to be within range.

Browse Source
This commit is contained in:
Jim Norman 2006-04-26 16:29:13 +00:00
parent d8ad2aab45
commit 8230adb2d6
3 changed files with 160 additions and 158 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CASA.changes
View File

@ -1,3 +1,7 @@
-------------------------------------------------------------------
Wed Apr 26 10:26:20 MST 2006 - jnorman@novell.com
- Security Audit 5.5: Check length of message to be within range.
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Apr 26 09:10:20 MST 2006 - jnorman@novell.com Wed Apr 26 09:10:20 MST 2006 - jnorman@novell.com
- Security Audit 5.13: Ensure that string lengths are within limits - Security Audit 5.13: Ensure that string lengths are within limits

6
c_micasad/init/WinSecretStoreClientService.cs
View File

@ -144,8 +144,8 @@ namespace sscs.init
ti.Install ( new Hashtable ()); ti.Install ( new Hashtable ());
} }
catch (Exception e) catch (Exception e)
{ {
Console.WriteLine(e.ToString()); System.Diagnostics.Debug.WriteLine(e.ToString());
} }
} }
@ -177,7 +177,7 @@ namespace sscs.init
} }
catch (Exception e) catch (Exception e)
{ {
Console.WriteLine(e.ToString()); System.Diagnostics.Debug.WriteLine(e.ToString());
} }
} }

308
c_micasad/verbs/ObjectSerialization.cs
View File

@ -79,16 +79,15 @@ namespace sscs.verbs
msgId = BitConverter.ToUInt16(inBuf,0); msgId = BitConverter.ToUInt16(inBuf,0);
inMsgLen = BitConverter.ToUInt32(inBuf,2); inMsgLen = BitConverter.ToUInt32(inBuf,2);
//Console.WriteLine("Serialization verb: msgId is " + msgId + " inMsgLen = " + inMsgLen + "inBuf.Length is " + inBuf.Length); // check inMsgLen
if ((inMsgLen < 6) || (inMsgLen > 65535))
{
throw new FormatException(" MsgLen invalid.");
}
// if( inMsgLen != inBuf.Length )
// Console.WriteLine("inMsgLen != inBuf.Length");
// throw new FormatException(" MsgLen sent does not match the length of the message received.");
// deserialize the data // deserialize the data
BinaryFormatter formatter = new BinaryFormatter(); BinaryFormatter formatter = new BinaryFormatter();
MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen - 6); MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen - 6);
// MemoryStream ms = new MemoryStream(inBuf, 6, (int)inMsgLen);
WrappedObject request; WrappedObject request;
WrappedObject reply; WrappedObject reply;
@ -120,112 +119,111 @@ namespace sscs.verbs
internal WrappedObject ProcessMessage(WrappedObject wo, UserIdentifier userId) internal WrappedObject ProcessMessage(WrappedObject wo, UserIdentifier userId)
{ {
//Console.WriteLine("ObjectSerialization Called");
SecretStore ssStore = SessionManager.CreateUserSession(userId); SecretStore ssStore = SessionManager.CreateUserSession(userId);
try try
{ {
int action = wo.GetAction(); int action = wo.GetAction();
switch (action) switch (action)
{
case MiCasaRequestReply.VERB_PING_MICASAD:
{
return DoPing(wo);
}
case MiCasaRequestReply.VERB_SET_LINKED_KEY:
{
return DoSetLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_LINKED_KEY:
{
return DoRemoveLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_LINKED_KEYS:
{
return DoGetLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_CREATE_TEST_SECRETS:
{
return DoCreateTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_TEST_SECRETS:
{
return DoRemoveTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_DUMP_LINKED_KEYS:
{
return DoDumpLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_WRITE_KEY:
{
return DoWriteKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_LOCK_STORE:
{
ssStore.LockStore();
return wo;
}
case MiCasaRequestReply.VERB_UNLOCK_STORE:
{
return DoUnlockStore(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_ALL_SECRETS:
{
// stop persistence
//ssStore.StopPersistence();
// remove secrets
return DoRemoveAllSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_STORE_STATUS:
{
wo.SetObject(ssStore.GetSecretStoreState());
return wo;
}
case MiCasaRequestReply.VERB_REMOVE_KEY:
{
return DoRemoveKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_READ_KEY:
{
return DoReadKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_KEY_LIST:
{
return DoGetKeyList(ssStore, wo);
}
case MiCasaRequestReply.VERB_RESET_MASTER_PASSWORD:
{
return DoResetMasterPassword(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_SECRETIDS:
{
return DoGetSecretIDs(ssStore, wo);
}
default:
{
wo.SetError(constants.RetCodes.FAILURE, "Verb Not Supported");
return wo;
}
}
}
catch (Exception e)
{ {
wo.SetError(constants.RetCodes.FAILURE, e.ToString()); case MiCasaRequestReply.VERB_PING_MICASAD:
} {
return DoPing(wo);
}
case MiCasaRequestReply.VERB_SET_LINKED_KEY:
{
return DoSetLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_LINKED_KEY:
{
return DoRemoveLinkedKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_LINKED_KEYS:
{
return DoGetLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_CREATE_TEST_SECRETS:
{
return DoCreateTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_TEST_SECRETS:
{
return DoRemoveTestSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_DUMP_LINKED_KEYS:
{
return DoDumpLinkedKeys(ssStore, wo);
}
case MiCasaRequestReply.VERB_WRITE_KEY:
{
return DoWriteKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_LOCK_STORE:
{
ssStore.LockStore();
return wo;
}
case MiCasaRequestReply.VERB_UNLOCK_STORE:
{
return DoUnlockStore(ssStore, wo);
}
case MiCasaRequestReply.VERB_REMOVE_ALL_SECRETS:
{
// stop persistence
//ssStore.StopPersistence();
// remove secrets
return DoRemoveAllSecrets(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_STORE_STATUS:
{
wo.SetObject(ssStore.GetSecretStoreState());
return wo;
}
case MiCasaRequestReply.VERB_REMOVE_KEY:
{
return DoRemoveKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_READ_KEY:
{
return DoReadKey(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_KEY_LIST:
{
return DoGetKeyList(ssStore, wo);
}
case MiCasaRequestReply.VERB_RESET_MASTER_PASSWORD:
{
return DoResetMasterPassword(ssStore, wo);
}
case MiCasaRequestReply.VERB_GET_SECRETIDS:
{
return DoGetSecretIDs(ssStore, wo);
}
default:
{
wo.SetError(constants.RetCodes.FAILURE, "Verb Not Supported");
return wo;
}
}
}
catch (Exception e)
{
wo.SetError(constants.RetCodes.FAILURE, e.ToString());
}
return wo; return wo;
@ -245,12 +243,12 @@ namespace sscs.verbs
StringCollection sc = (StringCollection)wo.GetObject(); StringCollection sc = (StringCollection)wo.GetObject();
if (sc != null) if (sc != null)
{ {
IDictionaryEnumerator etor = (IDictionaryEnumerator)kc.GetAllSecrets(); IDictionaryEnumerator etor = (IDictionaryEnumerator)kc.GetAllSecrets();
while(etor.MoveNext()) while(etor.MoveNext())
{ {
string sID = (string)etor.Key; string sID = (string)etor.Key;
sID = sID.Substring(0, sID.Length - 1); sID = sID.Substring(0, sID.Length - 1);
sc.Add(UnescapeID(sID)); sc.Add(UnescapeID(sID));
} }
} }
} }
@ -315,13 +313,13 @@ namespace sscs.verbs
Secret secret = null; Secret secret = null;
if( keyChain.CheckIfSecretExists(secretID) == false) if( keyChain.CheckIfSecretExists(secretID) == false)
{ {
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist"); wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
} }
else else
{ {
secret = keyChain.GetSecret(secretID); secret = keyChain.GetSecret(secretID);
secret.RemoveKeyValue(keyChain, keyID); secret.RemoveKeyValue(keyChain, keyID);
wo.SetError(constants.RetCodes.SUCCESS, null); wo.SetError(constants.RetCodes.SUCCESS, null);
ssStore.UpdatePersistentStore(); ssStore.UpdatePersistentStore();
} }
} }
@ -384,22 +382,22 @@ namespace sscs.verbs
Secret secret = null; Secret secret = null;
if( keyChain.CheckIfSecretExists(secretID) == false) if( keyChain.CheckIfSecretExists(secretID) == false)
{ {
wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist"); wo.SetError(constants.RetCodes.FAILURE,"Secret does not exist");
} }
else else
{ {
secret = keyChain.GetSecret(secretID); secret = keyChain.GetSecret(secretID);
if( null != secret ) if( null != secret )
{ {
ArrayList keyList = secret.GetKeyList(); ArrayList keyList = secret.GetKeyList();
wo.SetObject(keyList); wo.SetObject(keyList);
wo.SetError(constants.RetCodes.SUCCESS, null); wo.SetError(constants.RetCodes.SUCCESS, null);
} }
} }
} }
catch (Exception e) catch (Exception e)
{ {
wo.SetError(constants.RetCodes.FAILURE, e.ToString()); wo.SetError(constants.RetCodes.FAILURE, e.ToString());
} }
return wo; return wo;
@ -446,7 +444,7 @@ namespace sscs.verbs
} }
else else
wo.SetError(constants.RetCodes.FAILURE, "Store locked"); wo.SetError(constants.RetCodes.FAILURE, "Store locked");
return wo; return wo;
@ -907,33 +905,33 @@ namespace sscs.verbs
} }
return wo; return wo;
} }
*/ */
private static string UnescapeID(string sOrig) private static string UnescapeID(string sOrig)
{ {
StringBuilder sb = new StringBuilder(); StringBuilder sb = new StringBuilder();
for (int i = 0; i < sOrig.Length; i++) for (int i = 0; i < sOrig.Length; i++)
{ {
if (sOrig[i] == ('\\')) if (sOrig[i] == ('\\'))
{ {
if (i + 1 < sOrig.Length) if (i + 1 < sOrig.Length)
{ {
if (sOrig[i + 1] == (':') if (sOrig[i + 1] == (':')
|| sOrig[i + 1] == ('\\') || sOrig[i + 1] == ('\\')
|| sOrig[i + 1] == ('=')) || sOrig[i + 1] == ('='))
{ {
sb.Append(sOrig[i + 1]); sb.Append(sOrig[i + 1]);
i++; i++;
} }
} }
else else
sb.Append(sOrig[i]); sb.Append(sOrig[i]);
} }
else else
sb.Append(sOrig[i]); sb.Append(sOrig[i]);
} }
return sb.ToString(); return sb.ToString();
} }
public string GetVerbName() public string GetVerbName()
{ {
CSSSLogger.ExecutionTrace(this); CSSSLogger.ExecutionTrace(this);