ALT Linux Bugzilla
– Attachment 430 Details for
Bug 4330
Buffer Overflow Vulnerability in Squid NTLM Authentication Helper
New bug
|
Search
|
[?]
|
Help
Register
|
Log In
[x]
|
Forgot Password
Login:
[x]
|
EN
|
RU
[patch]
http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch в пригодном для прикладывания виде
squid-2.5.STABLE5-libntlmssp.c.patch (text/plain), 2.05 KB, created by
Denis Ovsienko
on 2004-06-10 12:58:15 MSD
(
hide
)
Description:
http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch в пригодном для прикладывания виде
Filename:
MIME Type:
Creator:
Denis Ovsienko
Created:
2004-06-10 12:58:15 MSD
Size:
2.05 KB
patch
obsolete
>diff -urN squid-2.5.STABLE5.orig/helpers/ntlm_auth/SMB/libntlmssp.c squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c >--- squid-2.5.STABLE5.orig/helpers/ntlm_auth/SMB/libntlmssp.c 2001-11-30 11:50:28 +0200 >+++ squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c 2004-06-10 11:49:23 +0300 >@@ -161,8 +161,10 @@ > #define min(A,B) (A<B?A:B) > > int ntlm_errno; >-static char credentials[1024]; /* we can afford to waste */ >- >+#define MAX_USERNAME_LEN 255 >+#define MAX_DOMAIN_LEN 255 >+#define MAX_PASSWD_LEN 31 >+static char credentials[MAX_USERNAME_LEN+MAX_DOMAIN_LEN+2]; /* we can afford to waste */ > > /* Fetches the user's credentials from the challenge. > * Returns NULL if domain or user is not defined >@@ -197,7 +199,7 @@ > ntlm_check_auth(ntlm_authenticate * auth, int auth_length) > { > int rv; >- char pass[25] /*, encrypted_pass[40] */; >+ char pass[MAX_PASSWD_LEN+1]; > char *domain = credentials; > char *user; > lstring tmp; >@@ -215,8 +217,13 @@ > ntlm_errno = NTLM_LOGON_ERROR; > return NULL; > } >+ if (tmp.l > MAX_DOMAIN_LEN) { >+ debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); >+ ntlm_errno = NTLM_LOGON_ERROR; >+ return NULL; >+ } > memcpy(domain, tmp.str, tmp.l); >- user = domain + tmp.l; >+ user = domain + tmp.l + 1; > *user++ = '\0'; > > /* debug("fetching user name\n"); */ >@@ -226,6 +233,11 @@ > ntlm_errno = NTLM_LOGON_ERROR; > return NULL; > } >+ if (tmp.l > MAX_USERNAME_LEN) { >+ debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); >+ ntlm_errno = NTLM_LOGON_ERROR; >+ return NULL; >+ } > memcpy(user, tmp.str, tmp.l); > *(user + tmp.l) = '\0'; > >@@ -237,9 +249,14 @@ > ntlm_errno = NTLM_LOGON_ERROR; > return NULL; > } >+ if (tmp.l > MAX_PASSWD_LEN) { >+ debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); >+ ntlm_errno = NTLM_LOGON_ERROR; >+ return NULL; >+ } > > memcpy(pass, tmp.str, tmp.l); >- pass[25] = '\0'; >+ pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; > > #if 1 > debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=430">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 4330
: 430
