35 lines
988 B
Diff
35 lines
988 B
Diff
|
From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
|
||
|
|
From: Aki Tuomi <aki.tuomi@open-xchange.com>
|
||
|
|
Date: Mon, 18 May 2020 12:33:39 +0300
|
||
|
|
Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses
|
||
|
|
|
||
|
|
Add missing check for buffer length.
|
||
|
|
|
||
|
|
If this is not checked, it is possible to send message which
|
||
|
|
causes read past buffer bug.
|
||
|
|
|
||
|
|
Broken in c7480644202e5451fbed448508ea29a25cffc99c
|
||
|
|
---
|
||
|
|
src/lib-ntlm/ntlm-message.c | 5 +++++
|
||
|
|
1 file changed, 5 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
|
||
|
|
index 160b9f918c..a29413b47e 100644
|
||
|
|
--- a/src/lib-ntlm/ntlm-message.c
|
||
|
|
+++ b/src/lib-ntlm/ntlm-message.c
|
||
|
|
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
|
||
|
|
if (length == 0 && space == 0)
|
||
|
|
return TRUE;
|
||
|
|
|
||
|
|
+ if (length > data_size) {
|
||
|
|
+ *error = "buffer length out of bounds";
|
||
|
|
+ return FALSE;
|
||
|
|
+ }
|
||
|
|
+
|
||
|
|
if (offset >= data_size) {
|
||
|
|
*error = "buffer offset out of bounds";
|
||
|
|
return FALSE;
|
||
|
|
--
|
||
|
|
2.11.0
|
||
|
|
|