MHD_digest_auth_check(): used internal function to decode nc, fixed incorrect check

(should be 'ULONG_MAX', not 'LONG_MAX'), new check is more strict. Function should be more secure now.
author: Evgeny Grin (Karlson2k) <k2k@narod.ru> 2016-04-12 14:36:16 +0000
committer: Evgeny Grin (Karlson2k) <k2k@narod.ru> 2016-04-12 14:36:16 +0000
commit: 661a5ee03c1ff438edd46994653c8a5fa3cd075e (patch)
tree: a88e7341fdd2df0bb5d57cc0fc4b69a61004cdff
parent: 8632cd8c4bb87b5f120d2a518f9ad4807b83c93c (diff)
1 files changed, 3 insertions, 6 deletions
diff --git a/src/microhttpd/digestauth.c b/src/microhttpd/digestauth.c
index ea7bc1c7..d4781406 100644
--- a/src/microhttpd/digestauth.c
+++ b/src/microhttpd/digestauth.c
@@ -668,7 +668,7 @@ MHD_digest_auth_check (struct MHD_Connection *connection,
        (0 == lookup_sub_value (qop, sizeof (qop), header, "qop")) ||
        ( (0 != strcmp (qop, "auth")) &&
          (0 != strcmp (qop, "")) ) ||
-       (0 == lookup_sub_value (nc, sizeof (nc), header, "nc"))  ||
+       (0 == (len = lookup_sub_value (nc, sizeof (nc), header, "nc")) )  ||
        (0 == lookup_sub_value (response, sizeof (response), header, "response")) )
     {
 #ifdef HAVE_MESSAGES
@@ -677,14 +677,11 @@ MHD_digest_auth_check (struct MHD_Connection *connection,
 #endif
       return MHD_NO;
     }
-  nci = strtoul (nc, &end, 16);
-  if ( ('\0' != *end) ||
-       ( (LONG_MAX == nci) &&
-         (ERANGE == errno) ) )
+  if (len != MHD_strx_to_uint64_n_ (nc, len, &nci))
     {
 #ifdef HAVE_MESSAGES
       MHD_DLOG (connection->daemon,
-		"Authentication failed, invalid format.\n");
+		"Authentication failed, invalid nc format.\n");
 #endif
       return MHD_NO; /* invalid nonce format */
     }
author	Evgeny Grin (Karlson2k) <k2k@narod.ru>	2016-04-12 14:36:16 +0000
committer	Evgeny Grin (Karlson2k) <k2k@narod.ru>	2016-04-12 14:36:16 +0000
commit	661a5ee03c1ff438edd46994653c8a5fa3cd075e (patch)
tree	a88e7341fdd2df0bb5d57cc0fc4b69a61004cdff
parent	8632cd8c4bb87b5f120d2a518f9ad4807b83c93c (diff)