From 4950b4f4417498adee3cbed0e35c37081770afae Mon Sep 17 00:00:00 2001
From: mtortonesi <devnull@localhost>
Date: Thu, 13 Oct 2005 02:04:16 -0700
Subject: [PATCH] [svn] Added Daniel's fix for remotely exploitable buffer
 overflow vulnerability in NTML code.

---
 src/ChangeLog   | 4 ++++
 src/http-ntlm.c | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/src/ChangeLog b/src/ChangeLog
index 171a4ef5..bf96c92e 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,7 @@
+2005-10-13  Daniel Stenberg  <daniel@haxx.se>
+
+	* http-ntlm.c (ntlm_output): Fixed buffer overflow vulnerability.
+
 2005-10-09  Russ Allbery  <rra@stanford.edu>
 
 	* snprintf.c: Remove round to round_int and pow10 to pow10_int, to
diff --git a/src/http-ntlm.c b/src/http-ntlm.c
index 5e45c0db..63827caa 100644
--- a/src/http-ntlm.c
+++ b/src/http-ntlm.c
@@ -524,6 +524,11 @@ ntlm_output (struct ntlmdata *ntlm, const char *user, const char *passwd,
     size=64;
     ntlmbuf[62]=ntlmbuf[63]=0;
 
+    /* Make sure that the user and domain strings fit in the target buffer
+       before we copy them there. */
+    if(size + userlen + domlen >= sizeof(ntlmbuf))
+      return NULL;
+    
     memcpy(&ntlmbuf[size], domain, domlen);
     size += domlen;
 
-- 
2.39.2