Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where

libcurl always and unconditionally overwrote a stack-based array with 3 zero bytes. I edited the fix to make it less likely to occur again (and added a comment explaining the reason to the buffer size).
author: Daniel Stenberg <daniel@haxx.se> 2004-12-07 23:09:41 +0000
committer: Daniel Stenberg <daniel@haxx.se> 2004-12-07 23:09:41 +0000
commit: 80a324386b0d6653a19da6e3eeb28530e2478e5d (patch)
tree: 2197e3cf03a1b37b61f29bdb85afd70036889763 /lib
parent: 163518778c9d59256ab59dd7fb99d21f8a0e9ae7 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c
index dc31e837a..7de00ada1 100644
--- a/lib/http_ntlm.c
+++ b/lib/http_ntlm.c
@@ -202,6 +202,8 @@ static void mkhash(char *password,
 #endif
   )
 {
+  /* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input,
+     and we add three different ones, see the calc_resp() function */
   unsigned char lmbuffer[21];
 #ifdef USE_NTRESPONSES
   unsigned char ntbuffer[21];
@@ -239,7 +241,7 @@ static void mkhash(char *password,
     DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),
                     DESKEY(ks), DES_ENCRYPT);
 
-    memset(lmbuffer+16, 0, 5);
+    memset(lmbuffer+16, 0, sizeof(lmbuffer)-16);
   }
   /* create LM responses */
   calc_resp(lmbuffer, nonce, lmresp);
@@ -260,7 +262,7 @@ static void mkhash(char *password,
     MD4_Update(&MD4, pw, 2*len);
     MD4_Final(ntbuffer, &MD4);
 
-    memset(ntbuffer+16, 0, 8);
+    memset(ntbuffer+16, 0, sizeof(ntbuffer)-16);
   }
 
   calc_resp(ntbuffer, nonce, ntresp);
author	Daniel Stenberg <daniel@haxx.se>	2004-12-07 23:09:41 +0000
committer	Daniel Stenberg <daniel@haxx.se>	2004-12-07 23:09:41 +0000
commit	80a324386b0d6653a19da6e3eeb28530e2478e5d (patch)
tree	2197e3cf03a1b37b61f29bdb85afd70036889763 /lib
parent	163518778c9d59256ab59dd7fb99d21f8a0e9ae7 (diff)