aboutsummaryrefslogblamecommitdiffstats
path: root/community/libsoup/CVE-2019-17266.patch
blob: 54e49c0ec6f6c6bc4a410528d34969f068320846 (plain) (tree)


































                                                                                               
From f8a54ac85eec2008c85393f331cdd251af8266ad Mon Sep 17 00:00:00 2001
From: Claudio Saavedra <csaavedra@igalia.com>
Date: Mon, 7 Oct 2019 16:32:15 +0300
Subject: [PATCH] NTLM: Avoid a potential heap buffer overflow in v2
 authentication

Check the length of the decoded v2 challenge before attempting to
parse it, to avoid reading past it.

Fixes #173
---
 libsoup/soup-auth-ntlm.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index ce0b0f5c..2d078461 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -731,6 +731,12 @@ soup_ntlm_parse_challenge (const char *challenge,
 	*ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE;
 	/* To know if NTLMv2 responses should be calculated */
 	*negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE;
+        if (*negotiate_target) {
+            if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) {
+                g_free (chall);
+                return FALSE;
+            }
+        }
 
 	if (default_domain) {
 		memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain));
-- 
2.22.0