|
|
a950f6 |
diff --git a/lib/ntlmauth/ntlmauth.cc b/lib/ntlmauth/ntlmauth.cc
|
|
|
a950f6 |
index 2703187..753dac6 100644
|
|
|
a950f6 |
--- a/lib/ntlmauth/ntlmauth.cc
|
|
|
a950f6 |
+++ b/lib/ntlmauth/ntlmauth.cc
|
|
|
a950f6 |
@@ -106,10 +106,19 @@ ntlm_fetch_string(const ntlmhdr *packet, const int32_t packet_size, const strhdr
|
|
|
a950f6 |
int32_t o = le32toh(str->offset);
|
|
|
a950f6 |
// debug("ntlm_fetch_string(plength=%d,l=%d,o=%d)\n",packet_size,l,o);
|
|
|
a950f6 |
|
|
|
a950f6 |
- if (l < 0 || l > NTLM_MAX_FIELD_LENGTH || o + l > packet_size || o == 0) {
|
|
|
a950f6 |
- debug("ntlm_fetch_string: insane data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
|
|
a950f6 |
+ if (l < 0 || l > NTLM_MAX_FIELD_LENGTH) {
|
|
|
a950f6 |
+ debug("ntlm_fetch_string: insane string length (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
|
|
a950f6 |
return rv;
|
|
|
a950f6 |
}
|
|
|
a950f6 |
+ else if (o <= 0 || o > packet_size) {
|
|
|
a950f6 |
+ debug("ntlm_fetch_string: insane string offset (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
|
|
a950f6 |
+ return rv;
|
|
|
a950f6 |
+ }
|
|
|
a950f6 |
+ else if (l > packet_size - o) {
|
|
|
a950f6 |
+ debug("ntlm_fetch_string: truncated string data (pkt-sz: %d, fetch len: %d, offset: %d)\n", packet_size,l,o);
|
|
|
a950f6 |
+ return rv;
|
|
|
a950f6 |
+ }
|
|
|
a950f6 |
+
|
|
|
a950f6 |
rv.str = (char *)packet + o;
|
|
|
a950f6 |
rv.l = 0;
|
|
|
a950f6 |
if ((flags & NTLM_NEGOTIATE_ASCII) == 0) {
|