NTLM: Avoid a potential heap buffer overflow in v2 authentication

Check the length of the decoded v2 challenge before attempting to parse it, to avoid reading past it. Fixes #173

NTLM: Avoid a potential heap buffer overflow in v2 authentication
Check the length of the decoded v2 challenge before attempting to parse it, to avoid reading past it. Fixes #173
88b7dff4 · Claudio Saavedra · 2334a56c · 88b7dff4
Commit 88b7dff4 authored Oct 07, 2019 by Claudio Saavedra
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 0 deletions

libsoup/soup-auth-ntlm.c libsoup/soup-auth-ntlm.c +6 -0

No files found.
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -731,6 +731,12 @@ soup_ntlm_parse_challenge (const char *challenge,
 	*ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE;
 	/* To know if NTLMv2 responses should be calculated */
 	*negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE;
+        if (*negotiate_target && target_info) {
+            if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) {
+                g_free (chall);
+                return FALSE;
+            }
+        }

 	if (default_domain) {
 		memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain));