From 4950b4f4417498adee3cbed0e35c37081770afae Mon Sep 17 00:00:00 2001 From: mtortonesi Date: Thu, 13 Oct 2005 02:04:16 -0700 Subject: [PATCH] [svn] Added Daniel's fix for remotely exploitable buffer overflow vulnerability in NTML code. --- src/ChangeLog | 4 ++++ src/http-ntlm.c | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/src/ChangeLog b/src/ChangeLog index 171a4ef5..bf96c92e 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,7 @@ +2005-10-13 Daniel Stenberg + + * http-ntlm.c (ntlm_output): Fixed buffer overflow vulnerability. + 2005-10-09 Russ Allbery * snprintf.c: Remove round to round_int and pow10 to pow10_int, to diff --git a/src/http-ntlm.c b/src/http-ntlm.c index 5e45c0db..63827caa 100644 --- a/src/http-ntlm.c +++ b/src/http-ntlm.c @@ -524,6 +524,11 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd, size=64; ntlmbuf[62]=ntlmbuf[63]=0; + /* Make sure that the user and domain strings fit in the target buffer + before we copy them there. */ + if(size + userlen + domlen >= sizeof(ntlmbuf)) + return NULL; + memcpy(&ntlmbuf[size], domain, domlen); size += domlen;