]>
Commit | Line | Data |
---|---|---|
96d7bfb0 PS |
1 | --- squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c.orig 2001-11-30 10:50:28.000000000 +0100 |
2 | +++ squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c 2004-06-10 18:51:30.985180312 +0200 | |
3 | @@ -161,7 +161,10 @@ | |
4 | #define min(A,B) (A<B?A:B) | |
5 | ||
6 | int ntlm_errno; | |
7 | -static char credentials[1024]; /* we can afford to waste */ | |
8 | +#define MAX_USERNAME_LEN 255 | |
9 | +#define MAX_DOMAIN_LEN 255 | |
10 | +#define MAX_PASSWD_LEN 31 | |
11 | +static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ | |
12 | ||
13 | ||
14 | /* Fetches the user's credentials from the challenge. | |
15 | @@ -197,7 +200,7 @@ | |
16 | ntlm_check_auth(ntlm_authenticate * auth, int auth_length) | |
17 | { | |
18 | int rv; | |
19 | - char pass[25] /*, encrypted_pass[40] */; | |
20 | + char pass[MAX_PASSWD_LEN+1]; | |
21 | char *domain = credentials; | |
22 | char *user; | |
23 | lstring tmp; | |
24 | @@ -215,8 +218,13 @@ | |
25 | ntlm_errno = NTLM_LOGON_ERROR; | |
26 | return NULL; | |
27 | } | |
28 | + if (tmp.l > MAX_DOMAIN_LEN) { | |
29 | + debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); | |
30 | + ntlm_errno = NTLM_LOGON_ERROR; | |
31 | + return NULL; | |
32 | + } | |
33 | memcpy(domain, tmp.str, tmp.l); | |
34 | - user = domain + tmp.l; | |
35 | + user = domain + tmp.l + 1; | |
36 | *user++ = '\0'; | |
37 | ||
38 | /* debug("fetching user name\n"); */ | |
39 | @@ -226,20 +234,30 @@ | |
40 | ntlm_errno = NTLM_LOGON_ERROR; | |
41 | return NULL; | |
42 | } | |
43 | + if (tmp.l > MAX_USERNAME_LEN) { | |
44 | + debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); | |
45 | + ntlm_errno = NTLM_LOGON_ERROR; | |
46 | + return NULL; | |
47 | + } | |
48 | memcpy(user, tmp.str, tmp.l); | |
49 | *(user + tmp.l) = '\0'; | |
50 | ||
51 | ||
52 | - /* Authenticating against the NT response doesn't seem to work... */ | |
53 | + /* Authenticating against the NT response doesn't seem to work... */ | |
54 | tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); | |
55 | if (tmp.str == NULL || tmp.l == 0) { | |
56 | fprintf(stderr, "No auth at all. Returning no-auth\n"); | |
57 | ntlm_errno = NTLM_LOGON_ERROR; | |
58 | return NULL; | |
59 | } | |
60 | - | |
61 | + if (tmp.l > MAX_PASSWD_LEN) { | |
62 | + debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); | |
63 | + ntlm_errno = NTLM_LOGON_ERROR; | |
64 | + return NULL; | |
65 | + } | |
66 | + | |
67 | memcpy(pass, tmp.str, tmp.l); | |
68 | - pass[25] = '\0'; | |
69 | + pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; | |
70 | ||
71 | #if 1 | |
72 | debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'" |