--- squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c.orig 2001-11-30 10:50:28.000000000 +0100 +++ squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c 2004-06-10 18:51:30.985180312 +0200 @@ -161,7 +161,10 @@ #define min(A,B) (A MAX_DOMAIN_LEN) { + debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } memcpy(domain, tmp.str, tmp.l); - user = domain + tmp.l; + user = domain + tmp.l + 1; *user++ = '\0'; /* debug("fetching user name\n"); */ @@ -226,20 +234,30 @@ ntlm_errno = NTLM_LOGON_ERROR; return NULL; } + if (tmp.l > MAX_USERNAME_LEN) { + debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } memcpy(user, tmp.str, tmp.l); *(user + tmp.l) = '\0'; - /* Authenticating against the NT response doesn't seem to work... */ + /* Authenticating against the NT response doesn't seem to work... */ tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse); if (tmp.str == NULL || tmp.l == 0) { fprintf(stderr, "No auth at all. Returning no-auth\n"); ntlm_errno = NTLM_LOGON_ERROR; return NULL; } - + if (tmp.l > MAX_PASSWD_LEN) { + debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } + memcpy(pass, tmp.str, tmp.l); - pass[25] = '\0'; + pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; #if 1 debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"