- Security Audit Report : Patch for Bug No. 5.7.

File : c_micasad/verbs/SetMasterPassword.cs. - Added a check to verify the length of the Master Password to be greater than 8 characters and less than or equal to 256 characters.
2006-03-29 13:56:56 +00:00
parent cd5d118158
commit a06c806d2e
2 changed files with 44 additions and 25 deletions
--- a/c_micasad/verbs/SetMasterPassword.cs
+++ b/c_micasad/verbs/SetMasterPassword.cs
@@ -49,7 +49,9 @@ namespace sscs.verbs
        private byte[] inBuf;
        private byte[] outBuf;
        private int retCode        = 0;
-        
+        private int MASTER_PASS_MIN_LEN = 8;
+	private int MASTER_PASS_MAX_LEN = 256;
+
        /*
        * This method sets the class member with the byte array received.
        */
@@ -78,30 +80,37 @@ namespace sscs.verbs
                throw new FormatException(" MsgLen sent does not match the length of the message received."); 
            passwdType   = BitConverter.ToUInt32(inBuf,6);
            passwdLen    = BitConverter.ToUInt32(inBuf,10);
-            byte[] tempArr = new byte[passwdLen];
-            Array.Copy(inBuf,14,tempArr,0,passwdLen);
-            passwd = Encoding.UTF8.GetString(tempArr);
-            // Message Format decipher - End
- 
-            try
-            {    
-                SecretStore ssStore = null;
-                ssStore = SessionManager.GetUserSecretStore(userId);
-                if(ssStore.SetMasterPassword(passwd))
-                    retCode = IPCRetCodes.SSCS_REPLY_SUCCESS;
-                else
-                    retCode = IPCRetCodes.SSCS_E_SETTING_PASSCODE_FAILED;     
-            }     
-            catch(UserNotInSessionException)
-            {
-                CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Unable to get user's secretstore" );
-                retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR;
-            }
-            catch(Exception e) 
-            {
-                CSSSLogger.ExpLog(e.ToString());
-                retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR;
-            }
+	    if(passwdLen < MASTER_PASS_MIN_LEN || passwdLen > MASTER_PASS_MAX_LEN)
+	    {
+		retCode = IPCRetCodes.SSCS_E_SETTING_PASSCODE_FAILED;     
+	    }
+	    else
+	    {
+	            byte[] tempArr = new byte[passwdLen];
+        	    Array.Copy(inBuf,14,tempArr,0,passwdLen);
+        	    passwd = Encoding.UTF8.GetString(tempArr);
+        	    // Message Format decipher - End
+ 	
+        	    try
+        	    {    
+        	        SecretStore ssStore = null;
+        	        ssStore = SessionManager.GetUserSecretStore(userId);
+        	        if(ssStore.SetMasterPassword(passwd))
+        	            retCode = IPCRetCodes.SSCS_REPLY_SUCCESS;
+        	        else
+        	            retCode = IPCRetCodes.SSCS_E_SETTING_PASSCODE_FAILED;     
+        	    }     
+        	    catch(UserNotInSessionException)
+        	    {
+        	        CSSSLogger.DbgLog("In " + CSSSLogger.GetExecutionPath(this) + " Unable to get user's secretstore" );
+        	        retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR;
+        	    }
+        	    catch(Exception e) 
+        	    {
+        	        CSSSLogger.ExpLog(e.ToString());
+        	        retCode = IPCRetCodes.SSCS_E_SYSTEM_ERROR;
+        	    }
+	    }
                
            try
            {