NTLM: Avoid a potential heap buffer overflow in v2 authentication

Check the length of the decoded v2 challenge before attempting to parse it, to avoid reading past it. Fixes #173
author: Claudio Saavedra <csaavedra@igalia.com> 2019-10-07 16:32:15 +0300
committer: Claudio Saavedra <csaavedra@igalia.com> 2019-10-09 12:37:58 +0300
commit: 060aa98c0810ed0c3860bda00293a97ae9d86cfe (patch)
tree: 1eb99f4dfd806936ed432513f7808c48e44df5f5
parent: d3df90ae55f9a6abdc6325ab39b12b46e52ed714 (diff)
download: libsoup-060aa98c0810ed0c3860bda00293a97ae9d86cfe.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index 7c6a4b0e..61ff93cf 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -730,6 +730,12 @@ soup_ntlm_parse_challenge (const char *challenge,
 	*ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE;
 	/* To know if NTLMv2 responses should be calculated */
 	*negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE;
+        if (*negotiate_target) {
+            if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) {
+                g_free (chall);
+                return FALSE;
+            }
+        }
 
 	if (default_domain) {
 		memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain));
author	Claudio Saavedra <csaavedra@igalia.com>	2019-10-07 16:32:15 +0300
committer	Claudio Saavedra <csaavedra@igalia.com>	2019-10-09 12:37:58 +0300
commit	060aa98c0810ed0c3860bda00293a97ae9d86cfe (patch)
tree	1eb99f4dfd806936ed432513f7808c48e44df5f5
parent	d3df90ae55f9a6abdc6325ab39b12b46e52ed714 (diff)
download	libsoup-060aa98c0810ed0c3860bda00293a97ae9d86cfe.tar.gz