1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
diff --git a/ntlm.h b/ntlm.h
index 1469633..ad83520 100644
--- a/ntlm.h
+++ b/ntlm.h
@@ -32,8 +32,8 @@ uint32 msgType;
tSmbStrHeader uDomain;
uint32 flags;
uint8 challengeData[8];
-uint8 reserved[8];
-tSmbStrHeader emptyString;
+uint32 context[2];
+tSmbStrHeader targetInfo;
uint8 buffer[1024];
uint32 bufIndex;
}tSmbNtlmAuthChallenge;
diff --git a/ntlmsubr.c b/ntlmsubr.c
index f9d2733..63cbed8 100644
--- a/ntlmsubr.c
+++ b/ntlmsubr.c
@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto)
if ((result = gen_recv(sock, msgbuf, sizeof msgbuf)))
goto cancelfail;
- (void)from64tobits (&challenge, msgbuf, sizeof(challenge));
+ if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0
+ || result < ((void *)&challenge.context - (void *)&challenge))
+ {
+ report (stderr, GT_("could not decode BASE64 challenge\n"));
+ /* We do not goto cancelfail; the server has already sent the
+ * tagged reply, so the protocol exchange has ended, no need
+ * for us to send the asterisk. */
+ return PS_AUTHFAIL;
+ }
+
+ /* validate challenge:
+ * - ident
+ * - message type
+ * - that offset points into buffer
+ * - that offset + length does not wrap
+ * - that offset + length is not bigger than buffer */
+ if (0 != memcmp("NTLMSSP", challenge.ident, 8)
+ || challenge.msgType != 2
+ || challenge.uDomain.offset > result
+ || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset
+ || challenge.uDomain.offset + challenge.uDomain.len > result)
+ {
+ report (stderr, GT_("NTLM challenge contains invalid data.\n"));
+ result = PS_AUTHFAIL;
+ goto cancelfail;
+ }
if (outlevel >= O_DEBUG)
dumpSmbNtlmAuthChallenge(stdout, &challenge);
|
