Update German translation.

[~andy/fetchmail] / ntlmsubr.c

diff --git a/ntlmsubr.c b/ntlmsubr.c
index 3684bf9e6f7a800c4f8f43cd36c722cf5b4c1ddb..057c1b9147c5a338468ac1dd56356b9bcf52fa3c 100644 (file)
--- a/ntlmsubr.c
+++ b/ntlmsubr.c
@@ -34,6 +34,7 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
        if (outlevel >= O_VERBOSE) {
            report(stdout, GT_("Warning: received malformed challenge to \"AUTH(ENTICATE) NTLM\"!\n"));
        }
+       result = PS_AUTHFAIL;
        goto cancelfail;
     }
 
@@ -54,7 +55,36 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
     if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
        goto cancelfail;
 
-    (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
+    /*
+     * < 0: decoding error
+     * >= 0 < 32: too short to be plausible
+     */
+    if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
+           || result < 32)
+    {
+       report (stderr, GT_("could not decode BASE64 challenge\n"));
+       /* We do not goto cancelfail; the server has already sent the
+        * tagged reply, so the protocol exchange has ended, no need
+        * for us to send the asterisk. */
+       return PS_AUTHFAIL;
+    }
+
+    /* validate challenge:
+     * - ident
+     * - message type
+     * - that offset points into buffer
+     * - that offset + length does not wrap
+     * - that offset + length is not bigger than buffer */
+    if (0 != memcmp("NTLMSSP", challenge.ident, 8)
+           || challenge.msgType != 2
+           || challenge.uDomain.offset > (unsigned)result
+           || (challenge.uDomain.offset + challenge.uDomain.len) < challenge.uDomain.offset
+           || (challenge.uDomain.offset + challenge.uDomain.len) > (unsigned)result)
+    {
+       report (stderr, GT_("NTLM challenge contains invalid data.\n"));
+       result = PS_AUTHFAIL;
+       goto cancelfail;
+    }
 
     if (outlevel >= O_DEBUG)
        dumpSmbNtlmAuthChallenge(stdout, &challenge);