X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=ntlmsubr.c;h=057c1b9147c5a338468ac1dd56356b9bcf52fa3c;hb=7f6138ffd4935043382ce5f867ee9e177e0a9787;hp=9321d26e7c99af92af44c7e677d5dc6f730b8a7c;hpb=3fbc7cd331602c76f882d1b507cd05c1d824ba8b;p=~andy%2Ffetchmail

diff --git a/ntlmsubr.c b/ntlmsubr.c
index 9321d26e..057c1b91 100644
--- a/ntlmsubr.c
+++ b/ntlmsubr.c
@@ -55,7 +55,12 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
     if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
 	goto cancelfail;
 
-    if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0)
+    /*
+     * < 0: decoding error
+     * >= 0 < 32: too short to be plausible
+     */
+    if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
+	    || result < 32)
     {
 	report (stderr, GT_("could not decode BASE64 challenge\n"));
 	/* We do not goto cancelfail; the server has already sent the
@@ -64,6 +69,23 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
 	return PS_AUTHFAIL;
     }
 
+    /* validate challenge:
+     * - ident
+     * - message type
+     * - that offset points into buffer
+     * - that offset + length does not wrap
+     * - that offset + length is not bigger than buffer */
+    if (0 != memcmp("NTLMSSP", challenge.ident, 8)
+	    || challenge.msgType != 2
+	    || challenge.uDomain.offset > (unsigned)result
+	    || (challenge.uDomain.offset + challenge.uDomain.len) < challenge.uDomain.offset
+	    || (challenge.uDomain.offset + challenge.uDomain.len) > (unsigned)result)
+    {
+	report (stderr, GT_("NTLM challenge contains invalid data.\n"));
+	result = PS_AUTHFAIL;
+	goto cancelfail;
+    }
+
     if (outlevel >= O_DEBUG)
 	dumpSmbNtlmAuthChallenge(stdout, &challenge);