From: mtortonesi <devnull@localhost>
Date: Thu, 13 Oct 2005 09:04:16 +0000 (-0700)
Subject: [svn] Added Daniel's fix for remotely exploitable buffer overflow vulnerability in... 
X-Git-Tag: v1.13~708
X-Git-Url: http://sjero.net/git/?p=wget;a=commitdiff_plain;h=4950b4f4417498adee3cbed0e35c37081770afae

[svn] Added Daniel's fix for remotely exploitable buffer overflow vulnerability in NTML code.
---

diff --git a/src/ChangeLog b/src/ChangeLog
index 171a4ef5..bf96c92e 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2005-10-13  Daniel Stenberg  <daniel@haxx.se>
+
+	* http-ntlm.c (ntlm_output): Fixed buffer overflow vulnerability.
+
 2005-10-09  Russ Allbery  <rra@stanford.edu>
 
 	* snprintf.c: Remove round to round_int and pow10 to pow10_int, to
diff --git a/src/http-ntlm.c b/src/http-ntlm.c
index 5e45c0db..63827caa 100644
--- a/src/http-ntlm.c
+++ b/src/http-ntlm.c
@@ -524,6 +524,11 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
     size=64;
     ntlmbuf[62]=ntlmbuf[63]=0;
 
+    /* Make sure that the user and domain strings fit in the target buffer
+       before we copy them there. */
+    if(size + userlen + domlen >= sizeof(ntlmbuf))
+      return NULL;
+    
     memcpy(&ntlmbuf[size], domain, domlen);
     size += domlen;