#62732 Fix password validation in PasswordHasher`1: add check for upper bound for salt size before allocation an array

navferty · navferty · commit 742f022e9256 · 2025-07-15T22:15:08.000+04:00
diff --git a/src/Identity/Extensions.Core/src/PasswordHasher.cs b/src/Identity/Extensions.Core/src/PasswordHasher.cs
@@ -249,6 +249,8 @@ private static bool VerifyHashedPasswordV2(byte[] hashedPassword, string passwor
 
     private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount, out KeyDerivationPrf prf)
     {
+        const int MaxSaltSize = 1024 * 8; // 8 KiB
+
         iterCount = default(int);
         prf = default(KeyDerivationPrf);
 
@@ -260,7 +262,7 @@ private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string passwor
             int saltLength = (int)ReadNetworkByteOrder(hashedPassword, 9);
 
             // Read the salt: must be >= 128 bits
-            if (saltLength < 128 / 8)
+            if (saltLength < 128 / 8 || saltLength > MaxSaltSize)
             {
                 return false;
             }

Original file line number	Diff line number	Diff line change
`@@ -249,6 +249,8 @@ private static bool VerifyHashedPasswordV2(byte[] hashedPassword, string passwor`
`249`	`249`
`250`	`250`	`private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string password, out int iterCount, out KeyDerivationPrf prf)`
`251`	`251`	`{`
	`252`	`+ const int MaxSaltSize = 1024 * 8; // 8 KiB`
	`253`	`+`
`252`	`254`	`iterCount = default(int);`
`253`	`255`	`prf = default(KeyDerivationPrf);`
`254`	`256`
`@@ -260,7 +262,7 @@ private static bool VerifyHashedPasswordV3(byte[] hashedPassword, string passwor`
`260`	`262`	`int saltLength = (int)ReadNetworkByteOrder(hashedPassword, 9);`
`261`	`263`
`262`	`264`	`// Read the salt: must be >= 128 bits`
`263`		`- if (saltLength < 128 / 8)`
	`265`	`+ if (saltLength < 128 / 8 \|\| saltLength > MaxSaltSize)`
`264`	`266`	`{`
`265`	`267`	`return false;`
`266`	`268`	`}`