diff options
Diffstat (limited to 'ntlmsubr.c')
| -rw-r--r-- | ntlmsubr.c | 20 |
1 files changed, 19 insertions, 1 deletions
@@ -55,7 +55,8 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto) if ((result = gen_recv(sock, msgbuf, sizeof msgbuf))) goto cancelfail; - if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0) + if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0 + || result < ((void *)&challenge.context - (void *)&challenge)) { report (stderr, GT_("could not decode BASE64 challenge\n")); /* We do not goto cancelfail; the server has already sent the @@ -64,6 +65,23 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto) return PS_AUTHFAIL; } + /* validate challenge: + * - ident + * - message type + * - that offset points into buffer + * - that offset + length does not wrap + * - that offset + length is not bigger than buffer */ + if (0 != memcmp("NTLMSSP", challenge.ident, 8) + || challenge.msgType != 2 + || challenge.uDomain.offset > result + || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset + || challenge.uDomain.offset + challenge.uDomain.len > result) + { + report (stderr, GT_("NTLM challenge contains invalid data.\n")); + result = PS_AUTHFAIL; + goto cancelfail; + } + if (outlevel >= O_DEBUG) dumpSmbNtlmAuthChallenge(stdout, &challenge); |