Browse code

auth_ephemeral: test the lenghts for compared passwords

Daniel-Constantin Mierla authored on 03/05/2019 09:53:15
Showing 1 changed files
... ...
@@ -523,8 +523,9 @@ int ki_autheph_authenticate(sip_msg_t *_m, str *susername, str *spassword)
523 523
 		{
524 524
 			LM_DBG("generated password: %.*s\n",
525 525
 				sgenerated_password.len, sgenerated_password.s);
526
-			if (strncmp(spassword->s, sgenerated_password.s,
527
-					spassword->len) == 0)
526
+			if (spassword->len == sgenerated_password.len
527
+					&& strncmp(spassword->s, sgenerated_password.s,
528
+						spassword->len) == 0)
528 529
 			{
529 530
 				SECRET_UNLOCK;
530 531
 				return AUTH_OK;