rpms / wireshark

Clone
Source Code
GIT

Files

  1.   6415a4f2109e4637a9d868ead6dc86570206a862
  2.   SOURCES
  3.   wireshark-1.10.0-CVE-2013-7114.patch
Blob Blame History Raw 
--- trunk/epan/dissectors/packet-ntlmssp.c	2013/11/28 16:33:54	53625
+++ trunk/epan/dissectors/packet-ntlmssp.c	2013/11/28 16:39:04	53626
@@ -517,9 +517,13 @@
                       guint8 *sessionkey , const  guint8 *encryptedsessionkey , int flags ,
                       const ntlmssp_blob *ntlm_response, const ntlmssp_blob *lm_response _U_, ntlmssp_header_t *ntlmssph)
 {
-  char              domain_name_unicode[256];
-  char              user_uppercase[256];
-  char              buf[512];
+/* static const would be nicer, but -Werror=vla does not like it */
+#define DOMAIN_NAME_BUF_SIZE 512
+#define USER_BUF_SIZE 256
+#define BUF_SIZE (DOMAIN_NAME_BUF_SIZE + USER_BUF_SIZE)
+  char              domain_name_unicode[DOMAIN_NAME_BUF_SIZE];
+  char              user_uppercase[USER_BUF_SIZE];
+  char              buf[BUF_SIZE];
   /*guint8 md4[NTLMSSP_KEY_LEN];*/
   unsigned char     nt_password_hash[NTLMSSP_KEY_LEN];
   unsigned char     nt_proof[NTLMSSP_KEY_LEN];
@@ -544,10 +544,10 @@
   nb_pass = get_md4pass_list(&pass_list, nt_password);
 #endif
   i = 0;
-  memset(user_uppercase, 0, 256);
+  memset(user_uppercase, 0, USER_BUF_SIZE);
   user_len = strlen(ntlmssph->acct_name);
-  if (user_len < 129) {
-    memset(buf, 0, 512);
+  if (user_len < USER_BUF_SIZE / 2) {
+    memset(buf, 0, BUF_SIZE);
     str_to_unicode(ntlmssph->acct_name, buf);
     for (j = 0; j < (2*user_len); j++) {
       if (buf[j] != '\0') {
@@ -560,7 +540,7 @@
     return;
   }
   domain_len = strlen(ntlmssph->domain_name);
-  if (domain_len < 129) {
+  if (domain_len < DOMAIN_NAME_BUF_SIZE / 2) {
     str_to_unicode(ntlmssph->domain_name, domain_name_unicode);
   }
   else {
@@ -575,14 +579,14 @@
     printnbyte(nt_password_hash, NTLMSSP_KEY_LEN, "Current NT password hash: ", "\n");
     i++;
     /* ntowf computation */
-    memset(buf, 0, 512);
+    memset(buf, 0, BUF_SIZE);
     memcpy(buf, user_uppercase, user_len*2);
     memcpy(buf+user_len*2, domain_name_unicode, domain_len*2);
     md5_hmac(buf, domain_len*2+user_len*2, nt_password_hash, NTLMSSP_KEY_LEN, ntowf);
     printnbyte(ntowf, NTLMSSP_KEY_LEN, "NTOWF: ", "\n");
 
     /* LM response */
-    memset(buf, 0, 512);
+    memset(buf, 0, BUF_SIZE);
     memcpy(buf, serverchallenge, 8);
     memcpy(buf+8, clientchallenge, 8);
     md5_hmac(buf, NTLMSSP_KEY_LEN, ntowf, NTLMSSP_KEY_LEN, lm_challenge_response);
@@ -590,9 +594,9 @@
     printnbyte(lm_challenge_response, 24, "LM Response: ", "\n");
 
     /* NT proof = First NTLMSSP_KEY_LEN bytes of NT response */
-    memset(buf, 0, 512);
+    memset(buf, 0, BUF_SIZE);
     memcpy(buf, serverchallenge, 8);
-    memcpy(buf+8, ntlm_response->contents+NTLMSSP_KEY_LEN, ntlm_response->length-NTLMSSP_KEY_LEN);
+    memcpy(buf+8, ntlm_response->contents+NTLMSSP_KEY_LEN, MIN(BUF_SIZE - 8, ntlm_response->length-NTLMSSP_KEY_LEN));
     md5_hmac(buf, ntlm_response->length-8, ntowf, NTLMSSP_KEY_LEN, nt_proof);
     printnbyte(nt_proof, NTLMSSP_KEY_LEN, "NT proof: ", "\n");
     if (!memcmp(nt_proof, ntlm_response->contents, NTLMSSP_KEY_LEN)) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation