[mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2877 152afb58-edef-0310-8abb-c4023f1b3aa9

NEWS

@@ -16,6 +16,7 @@ NEWS
   * fix some bugs found with canalyze (fixes #2484, thx Zhenbo Xu)
   * fix undefined stuff found with clang
   * [cmake] Use TARGET_LINK_LIBRARIES instead of LINK_FLAGS for library dependencies, also add -Wl,--as-needed to extra warnings (fixes #2448)
+  * [mod_auth] fix invalid read in digest qop=auth-int handling (fixes #2478)
 
 - 1.4.32 - 2012-11-21
   * Code cleanup with clang/sparse (fixes #2437, thx kibi)

src/http_auth.c

@@ -934,6 +934,7 @@ typedef struct {
 	char **ptr;
 } digest_kv;
 
+/* return values: -1: error/bad request, 0: failed, 1: success */
 int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p, array *req, buffer *url, const char *realm_str) {
 	char a1[256];
 	char a2[256];
@@ -1071,6 +1072,14 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 		return -1;
 	}
 
+	if (qop && strcasecmp(qop, "auth-int") == 0) {
+		log_error_write(srv, __FILE__, __LINE__, "s",
+				"digest: qop=auth-int not supported");
+
+		buffer_free(b);
+		return -1;
+	}
+
 	m = get_http_method_name(con->request.http_method);
 
 	/* password-string == HA1 */
@@ -1131,10 +1140,13 @@ int http_auth_digest_check(server *srv, connection *con, mod_auth_plugin_data *p
 	li_MD5_Update(&Md5Ctx, (unsigned char *)m, strlen(m));
 	li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
 	li_MD5_Update(&Md5Ctx, (unsigned char *)uri, strlen(uri));
+	/* qop=auth-int not supported, already checked above */
+/*
 	if (qop && strcasecmp(qop, "auth-int") == 0) {
 		li_MD5_Update(&Md5Ctx, (unsigned char *)":", 1);
-		li_MD5_Update(&Md5Ctx, (unsigned char *)"", HASHHEXLEN);
+		li_MD5_Update(&Md5Ctx, (unsigned char *) [body checksum], HASHHEXLEN);
 	}
+*/
 	li_MD5_Final(HA2, &Md5Ctx);
 	CvtHex(HA2, HA2Hex);