Verified Commit b9678868 authored by Simon Josefsson's avatar Simon Josefsson
Browse files

Fix buffer overflow. Patch from Cedric Buissart based on

report by Kirin.  CVE-2019-17455

<#2>
parent eb38c7b8
......@@ -36,6 +36,8 @@ extern "C"
#define NTLM_VERSION "@PACKAGE_VERSION@"
#define MSG_BUFSIZE 1024
/*
* These structures are byte-order dependant, and should not
* be manipulated except by the use of the routines provided
......@@ -55,7 +57,7 @@ extern "C"
uint32 flags;
tSmbStrHeader user;
tSmbStrHeader domain;
uint8 buffer[1024];
uint8 buffer[MSG_BUFSIZE];
uint32 bufIndex;
} tSmbNtlmAuthRequest;
......@@ -68,7 +70,7 @@ extern "C"
uint8 challengeData[8];
uint8 reserved[8];
tSmbStrHeader emptyString;
uint8 buffer[1024];
uint8 buffer[MSG_BUFSIZE];
uint32 bufIndex;
} tSmbNtlmAuthChallenge;
......@@ -84,7 +86,7 @@ extern "C"
tSmbStrHeader uWks;
tSmbStrHeader sessionKey;
uint32 flags;
uint8 buffer[1024];
uint8 buffer[MSG_BUFSIZE];
uint32 bufIndex;
} tSmbNtlmAuthResponse;
......
......@@ -46,9 +46,9 @@ char versionString[] = PACKAGE_STRING;
/*
* Must be multiple of two
* We use a statis buffer of 1024 bytes for message
* We use a statis buffer of MSG_BUFSIZE [1024] bytes for message
* At maximun we but 48 bytes (ntlm responses) and 3 unicode strings so
* NTLM_BUFSIZE * 3 + 48 <= 1024
* NTLM_BUFSIZE * 3 + 48 <= MSG_BUFSIZE
*/
#define NTLM_BUFSIZE 320
......@@ -70,10 +70,13 @@ char versionString[] = PACKAGE_STRING;
*/
#define AddBytes(ptr, header, buf, count) \
{ \
ptr->header.len = ptr->header.maxlen = UI16LE(count); \
size_t count2 = count; \
if (count2 > MSG_BUFSIZE - ptr->bufIndex) \
count2 = MSG_BUFSIZE - ptr->bufIndex; \
ptr->header.len = ptr->header.maxlen = UI16LE(count2); \
ptr->header.offset = UI32LE((ptr->buffer - ((uint8*)ptr)) + ptr->bufIndex); \
memcpy(ptr->buffer+ptr->bufIndex, buf, count); \
ptr->bufIndex += count; \
memcpy(ptr->buffer+ptr->bufIndex, buf, count2); \
ptr->bufIndex += count2; \
}
#define AddString(ptr, header, string) \
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment