From 19f66c757573b4940295a83e08eeb86c878b1def Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 22 Feb 2005 07:44:14 +0000 Subject: Thanks for the notification iDEFENCE. We are the "initial vendor" and we sure got no notification, no mail, no nothing. You didn't even bother to mail us when you went public with this. Cool. NTLM buffer overflow fix, as reported here: http://www.securityfocus.com/archive/1/391042 --- lib/http_ntlm.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c index 7de00ada1..62f1e7ef2 100644 --- a/lib/http_ntlm.c +++ b/lib/http_ntlm.c @@ -103,7 +103,6 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, header++; if(checkprefix("NTLM", header)) { - unsigned char buffer[256]; header += strlen("NTLM"); while(*header && isspace((int)*header)) @@ -123,8 +122,12 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, (40) Target Information (optional) security buffer(*) 32 (48) start of data block */ + size_t size; + unsigned char *buffer = (unsigned char *)malloc(strlen(header)); + if (buffer == NULL) + return CURLNTLM_BAD; - size_t size = Curl_base64_decode(header, (char *)buffer); + size = Curl_base64_decode(header, (char *)buffer); ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */ @@ -134,6 +137,7 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, /* at index decimal 20, there's a 32bit NTLM flag field */ + free(buffer); } else { if(ntlm->state >= NTLMSTATE_TYPE1) -- cgit v1.2.3