MeshCentral/MeshAgent
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshAgent synced 2025-12-21 10:43:36 +00:00
Code Issues Releases Wiki Activity

Updated server authentication to mitigate integer overflow attack

Browse Source
This commit is contained in:
Bryan Roe
2020-07-07 01:41:12 -07:00
parent f2cbf1f10d
commit e9573e5261
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
meshcore/agentcore.c
View File

@@ -2635,6 +2635,15 @@ void MeshServer_ProcessCommand(ILibWebClient_StateObject WebStateObject, MeshAge
// We have to wait for the server to indicate that it authenticated the agent (us) before sending any data to the server.
// Node authentication requires the server make database calls, so we need to delay.
agent->serverAuthState += 2;
if (agent->serverAuthState > 3)
{
agent->serverAuthState = 0;
if (agent->controlChannelDebug != 0)
{
printf("Invalid Server Response...\n");
ILIBLOGMESSAGEX("Invalid Server Response...");
}
}
if (agent->serverAuthState == 3) { MeshServer_ServerAuthenticated(WebStateObject, agent); }
}
break;
@@ -3121,7 +3130,7 @@ void MeshServer_OnResponse(ILibWebClient_StateObject WebStateObject, int Interru
ILIBLOGMESSAGEX("Control Channel Disconnected...");
}
// If the channel had been authenticates, inform JavaScript core module that we are not disconnected
// If the channel had been authenticated, inform JavaScript core module that we are not disconnected
#ifndef MICROSTACK_NOTLS
if (agent->serverAuthState == 3)
#endif
@@ -3137,6 +3146,7 @@ void MeshServer_OnResponse(ILibWebClient_StateObject WebStateObject, int Interru
duk_pop(agent->meshCoreCtx);
}
}
agent->serverAuthState = 0;
agent->controlChannel = NULL; // Set the agent MeshCentral server control channel
agent->serverConnectionState = 0;
break;