diff -urN squid-2.5.STABLE5.orig/helpers/ntlm_auth/SMB/libntlmssp.c squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c --- squid-2.5.STABLE5.orig/helpers/ntlm_auth/SMB/libntlmssp.c 2001-11-30 11:50:28 +0200 +++ squid-2.5.STABLE5/helpers/ntlm_auth/SMB/libntlmssp.c 2004-06-10 11:49:23 +0300 @@ -161,8 +161,10 @@ #define min(A,B) (A MAX_DOMAIN_LEN) { + debug("Domain string exceeds %d bytes, rejecting\n", MAX_DOMAIN_LEN); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } memcpy(domain, tmp.str, tmp.l); - user = domain + tmp.l; + user = domain + tmp.l + 1; *user++ = '\0'; /* debug("fetching user name\n"); */ @@ -226,6 +233,11 @@ ntlm_errno = NTLM_LOGON_ERROR; return NULL; } + if (tmp.l > MAX_USERNAME_LEN) { + debug("Username string exceeds %d bytes, rejecting\n", MAX_USERNAME_LEN); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } memcpy(user, tmp.str, tmp.l); *(user + tmp.l) = '\0'; @@ -237,9 +249,14 @@ ntlm_errno = NTLM_LOGON_ERROR; return NULL; } + if (tmp.l > MAX_PASSWD_LEN) { + debug("Password string exceeds %d bytes, rejecting\n", MAX_PASSWD_LEN); + ntlm_errno = NTLM_LOGON_ERROR; + return NULL; + } memcpy(pass, tmp.str, tmp.l); - pass[25] = '\0'; + pass[min(MAX_PASSWD_LEN,tmp.l)] = '\0'; #if 1 debug ("Empty LM pass detection: user: '%s', ours:'%s', his: '%s'"