Merge pull request from GHSA-5g4r-2qhx-vqfm

jhawthorn · web-flow · commit 6bed62789eaf · 2022-06-06T13:12:42.000-07:00
Verify exact length of auth_data_len
diff --git a/contrib/ruby/Gemfile.lock b/contrib/ruby/Gemfile.lock
@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    trilogy (2.1.0)
+    trilogy (2.1.1)
 
 GEM
   remote: https://rubygems.org/
diff --git a/contrib/ruby/lib/trilogy/version.rb b/contrib/ruby/lib/trilogy/version.rb
@@ -1,3 +1,3 @@
 class Trilogy
-  VERSION = "2.1.0"
+  VERSION = "2.1.1"
 end
diff --git a/src/protocol.c b/src/protocol.c
@@ -275,8 +275,10 @@ int trilogy_parse_handshake_packet(const uint8_t *buff, size_t len, trilogy_hand
     if (out_packet->capabilities & TRILOGY_CAPABILITIES_SECURE_CONNECTION && auth_data_len > 8) {
         uint8_t remaining_auth_data_len = auth_data_len - 8;
 
-        if (remaining_auth_data_len > 13) {
-            remaining_auth_data_len = 13;
+        // The auth plugins we support all provide exactly 21 bytes of
+        // auth_data. Reject any other values for auth_data_len.
+        if (SCRAMBLE_LEN + 1 != auth_data_len) {
+            return TRILOGY_PROTOCOL_VIOLATION;
         }
 
         CHECKED(trilogy_reader_copy_buffer(&reader, remaining_auth_data_len, out_packet->scramble + 8));
