Attention is currently required from: plaisthos.
Hello plaisthos,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/496?usp=email
to review the following change.
Change subject: NTLM: add length check to add_security_buffer
......................................................................
NTLM: add length check to add_security_buffer
Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.
Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld <[email protected]>
---
M src/openvpn/ntlm.c
1 file changed, 9 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/96/496/1
diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index bc33f41..99d4ae7 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -154,8 +154,13 @@
static void
add_security_buffer(int sb_offset, void *data, int length,
- unsigned char *msg_buf, int *msg_bufpos)
+ unsigned char *msg_buf, int *msg_bufpos, size_t
msg_bufsize)
{
+ if (*msg_bufpos + length > msg_bufsize)
+ {
+ msg(M_WARN, "NTLM: security buffer too big for message buffer");
+ return;
+ }
/* Adds security buffer data to a message and sets security buffer's
* offset and length */
msg_buf[sb_offset] = (unsigned char)length;
@@ -362,15 +367,15 @@
/* NTLMv2 response */
add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
- phase3, &phase3_bufpos);
+ phase3, &phase3_bufpos, sizeof(phase3));
/* username in ascii */
add_security_buffer(0x24, username, strlen(username), phase3,
- &phase3_bufpos);
+ &phase3_bufpos, sizeof(phase3));
/* Set domain. If <domain> is empty, default domain will be used
* (i.e. proxy's domain) */
- add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos);
+ add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos,
sizeof(phase3));
/* other security buffers will be empty */
phase3[0x10] = phase3_bufpos; /* lm not used */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/496?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Gerrit-Change-Number: 496
Gerrit-PatchSet: 1
Gerrit-Owner: flichtenheld <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: plaisthos <[email protected]>
Gerrit-MessageType: newchange
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
