[svn] Added Daniel's fix for remotely exploitable buffer overflow vulnerability in...

[wget] / src / http-ntlm.c

diff --git a/src/http-ntlm.c b/src/http-ntlm.c
index c0d2511c1df5b00385e633140816e0a795d47701..63827caac64990c1856715fea8c11924ddce391c 100644 (file)
--- a/src/http-ntlm.c
+++ b/src/http-ntlm.c
@@ -1,6 +1,6 @@
 /* NTLM code.
    Copyright (C) 2005 Free Software Foundation, Inc.
-   Donated by Daniel Stenberg.
+   Contributed by Daniel Stenberg.
 
 This file is part of GNU Wget.
 
@@ -15,8 +15,8 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with Wget; if not, write to the Free Software
-Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+along with Wget; if not, write to the Free Software Foundation, Inc.,
+51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 
 In addition, as a special exception, the Free Software Foundation
 gives permission to link the code of its release of Wget with the
@@ -37,7 +37,6 @@ so, delete this exception statement from your version.  */
 
 */
 
-/* -- WIN32 approved -- */
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
@@ -114,12 +113,12 @@ so, delete this exception statement from your version.  */
      beginning of the NTLM message, in bytes.
 */
 
-/* return 1 on success, 0 otherwise */
-int
+/* return true on success, false otherwise */
+bool
 ntlm_input (struct ntlmdata *ntlm, const char *header)
 {
   if (0 != strncmp (header, "NTLM", 4))
-    return 0;
+    return false;
 
   header += 4;
   while (*header && ISSPACE(*header))
@@ -147,7 +146,7 @@ ntlm_input (struct ntlmdata *ntlm, const char *header)
 
       size = base64_decode (header, buffer);
       if (size < 0)
-       return 0;               /* malformed base64 from server */
+       return false;           /* malformed base64 from server */
 
       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
 
@@ -162,14 +161,14 @@ ntlm_input (struct ntlmdata *ntlm, const char *header)
       if (ntlm->state >= NTLMSTATE_TYPE1)
        {
          DEBUGP (("Unexpected empty NTLM message.\n"));
-         return 0; /* this is an error */
+         return false; /* this is an error */
        }
 
       DEBUGP (("Empty NTLM message, starting transaction.\n"));
       ntlm->state = NTLMSTATE_TYPE1; /* we should sent away a type-1 */
     }
 
-  return 1;
+  return true;
 }
 
 /*
@@ -300,7 +299,7 @@ mkhash(const char *password,
 /* this is for creating ntlm header output */
 char *
 ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
-            int *ready)
+            bool *ready)
 {
   const char *domain=""; /* empty */
   const char *host=""; /* empty */
@@ -316,7 +315,7 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
      server, which is for a plain host or for a HTTP proxy */
   char *output;
 
-  *ready = 0;
+  *ready = false;
 
   /* not set means empty */
   if(!user)
@@ -525,6 +524,11 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
     size=64;
     ntlmbuf[62]=ntlmbuf[63]=0;
 
+    /* Make sure that the user and domain strings fit in the target buffer
+       before we copy them there. */
+    if(size + userlen + domlen >= sizeof(ntlmbuf))
+      return NULL;
+    
     memcpy(&ntlmbuf[size], domain, domlen);
     size += domlen;
 
@@ -554,14 +558,14 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
     output = concat_strings ("NTLM ", base64, (char *) 0);
 
     ntlm->state = NTLMSTATE_TYPE3; /* we sent a type-3 */
-    *ready = 1;
+    *ready = true;
   }
   break;
 
   case NTLMSTATE_TYPE3:
     /* connection is already authenticated,
      * don't send a header in future requests */
-    *ready = 1;
+    *ready = true;
     output = NULL;
     break;
   }