From f8a54ac85eec2008c85393f331cdd251af8266ad Mon Sep 17 00:00:00 2001 From: Claudio Saavedra Date: Mon, 7 Oct 2019 16:32:15 +0300 Subject: [PATCH] NTLM: Avoid a potential heap buffer overflow in v2 authentication Check the length of the decoded v2 challenge before attempting to parse it, to avoid reading past it. Fixes #173 --- libsoup/soup-auth-ntlm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c index ce0b0f5c..2d078461 100644 --- a/libsoup/soup-auth-ntlm.c +++ b/libsoup/soup-auth-ntlm.c @@ -731,6 +731,12 @@ soup_ntlm_parse_challenge (const char *challenge, *ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE; /* To know if NTLMv2 responses should be calculated */ *negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE; + if (*negotiate_target) { + if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) { + g_free (chall); + return FALSE; + } + } if (default_domain) { memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain)); -- 2.22.0