[svn] Added Daniel's fix for remotely exploitable buffer overflow vulnerability in...

author mtortonesi <devnull@localhost>

Thu, 13 Oct 2005 09:04:16 +0000 (02:04 -0700)

committer mtortonesi <devnull@localhost>

Thu, 13 Oct 2005 09:04:16 +0000 (02:04 -0700)
author mtortonesi <devnull@localhost>
Thu, 13 Oct 2005 09:04:16 +0000 (02:04 -0700)
committer mtortonesi <devnull@localhost>
Thu, 13 Oct 2005 09:04:16 +0000 (02:04 -0700)
diff --git a/src/ChangeLog b/src/ChangeLog

index 171a4ef58e53f0ecac223b17973c599bfc59aa66..bf96c92ed184040dca3590be5ebda8afc6d4b203 100644 (file)
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2005-10-13  Daniel Stenberg  <daniel@haxx.se>
+
+       * http-ntlm.c (ntlm_output): Fixed buffer overflow vulnerability.
+
  2005-10-09  Russ Allbery  <rra@stanford.edu>
  
         * snprintf.c: Remove round to round_int and pow10 to pow10_int, to
diff --git a/src/http-ntlm.c b/src/http-ntlm.c

index 5e45c0dba0ce0d2ebb61aa4bc57ee94f98f38072..63827caac64990c1856715fea8c11924ddce391c 100644 (file)
--- a/src/http-ntlm.c
+++ b/src/http-ntlm.c
@@ -524,6 +524,11 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
      size=64;
      ntlmbuf[62]=ntlmbuf[63]=0;
  
+    /* Make sure that the user and domain strings fit in the target buffer
+       before we copy them there. */
+    if(size + userlen + domlen >= sizeof(ntlmbuf))
+      return NULL;
+    
      memcpy(&ntlmbuf[size], domain, domlen);
      size += domlen;
author	mtortonesi <devnull@localhost>
	Thu, 13 Oct 2005 09:04:16 +0000 (02:04 -0700)
committer	mtortonesi <devnull@localhost>
	Thu, 13 Oct 2005 09:04:16 +0000 (02:04 -0700)
src/ChangeLog		patch \| blob \| history
src/http-ntlm.c		patch \| blob \| history