diff options
| author | Frank Lichtenheld | 2024-01-17 09:59:51 +0100 |
|---|---|---|
| committer | Gert Doering | 2024-01-17 10:10:51 +0100 |
| commit | a021de2aabb21a24c7b69aaae1c710a9b6fee429 (patch) | |
| tree | db79726d6cf750b54bc871ff5fd58864e23a09cf /src | |
| parent | cedbac710c4f6a3c5ecca5487c491f009e2b7775 (diff) | |
| download | openvpn-a021de2aabb21a24c7b69aaae1c710a9b6fee429.zip openvpn-a021de2aabb21a24c7b69aaae1c710a9b6fee429.tar.gz | |
NTLM: add length check to add_security_buffer
Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.
Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240117085951.27414-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28037.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src')
| -rw-r--r-- | src/openvpn/ntlm.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index bc33f41..99d4ae7 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -154,8 +154,13 @@ unicodize(char *dst, const char *src) static void add_security_buffer(int sb_offset, void *data, int length, - unsigned char *msg_buf, int *msg_bufpos) + unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize) { + if (*msg_bufpos + length > msg_bufsize) + { + msg(M_WARN, "NTLM: security buffer too big for message buffer"); + return; + } /* Adds security buffer data to a message and sets security buffer's * offset and length */ msg_buf[sb_offset] = (unsigned char)length; @@ -362,15 +367,15 @@ ntlm_phase_3(const struct http_proxy_info *p, const char *phase_2, /* NTLMv2 response */ add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16, - phase3, &phase3_bufpos); + phase3, &phase3_bufpos, sizeof(phase3)); /* username in ascii */ add_security_buffer(0x24, username, strlen(username), phase3, - &phase3_bufpos); + &phase3_bufpos, sizeof(phase3)); /* Set domain. If <domain> is empty, default domain will be used * (i.e. proxy's domain) */ - add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos); + add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3)); /* other security buffers will be empty */ phase3[0x10] = phase3_bufpos; /* lm not used */ |