diff options
author | Claudio Saavedra <csaavedra@igalia.com> | 2019-10-07 16:32:15 +0300 |
---|---|---|
committer | Claudio Saavedra <csaavedra@igalia.com> | 2019-10-09 12:37:58 +0300 |
commit | 060aa98c0810ed0c3860bda00293a97ae9d86cfe (patch) | |
tree | 1eb99f4dfd806936ed432513f7808c48e44df5f5 | |
parent | d3df90ae55f9a6abdc6325ab39b12b46e52ed714 (diff) | |
download | libsoup-060aa98c0810ed0c3860bda00293a97ae9d86cfe.tar.gz |
NTLM: Avoid a potential heap buffer overflow in v2 authentication
Check the length of the decoded v2 challenge before attempting to
parse it, to avoid reading past it.
Fixes #173
-rw-r--r-- | libsoup/soup-auth-ntlm.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c index 7c6a4b0e..61ff93cf 100644 --- a/libsoup/soup-auth-ntlm.c +++ b/libsoup/soup-auth-ntlm.c @@ -730,6 +730,12 @@ soup_ntlm_parse_challenge (const char *challenge, *ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE; /* To know if NTLMv2 responses should be calculated */ *negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE; + if (*negotiate_target) { + if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) { + g_free (chall); + return FALSE; + } + } if (default_domain) { memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain)); |