Chromium Code Reviews Chromium Code Reviews
Issue 155311:
Validate offset / length of extra field in the message. Note these fields are... (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2009 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/http/http_auth_handler_ntlm.h" | 5 #include "net/http/http_auth_handler_ntlm.h" |
| 6 | 6 |
| 7 #include <stdlib.h> | 7 #include <stdlib.h> |
| 8 // For gethostname | 8 // For gethostname |
| 9 #if defined(OS_POSIX) | 9 #if defined(OS_POSIX) |
| 10 #include <unistd.h> | 10 #include <unistd.h> |
| (...skipping 393 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 404 if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0) | 404 if (memcmp(cursor, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) != 0) |
| 405 return ERR_UNEXPECTED; | 405 return ERR_UNEXPECTED; |
| 406 cursor += sizeof(NTLM_SIGNATURE); | 406 cursor += sizeof(NTLM_SIGNATURE); |
| 407 | 407 |
| 408 // verify Type-2 marker | 408 // verify Type-2 marker |
| 409 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) | 409 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) |
| 410 return ERR_UNEXPECTED; | 410 return ERR_UNEXPECTED; |
| 411 cursor += sizeof(NTLM_TYPE2_MARKER); | 411 cursor += sizeof(NTLM_TYPE2_MARKER); |
| 412 | 412 |
| 413 // read target name security buffer | 413 // read target name security buffer |
| 414 msg->target_len = ReadUint16(cursor); | 414 uint32 target_len = ReadUint16(cursor); |
| 415 ReadUint16(cursor); // discard next 16-bit value | 415 ReadUint16(cursor); // discard next 16-bit value |
| 416 uint32 offset = ReadUint32(cursor); // get offset from in_buf | 416 uint32 offset = ReadUint32(cursor); // get offset from in_buf |
| 417 msg->target = ((const uint8*) in_buf) + offset; | 417 msg->target_len = 0; |
| 418 msg->target = NULL; | |
| 419 // Check the offset / length combo is in range of the input buffer, including | |
| 420 // integer overflow checking. | |
| 421 if (offset + target_len > offset && offset + target_len <= in_len) { | |
|
wtc
2009/07/13 18:07:30
Should we return ERR_UNEXPECTED or some other erro
| |
| 422 msg->target_len = target_len; | |
| 423 msg->target = ((const uint8*) in_buf) + offset; | |
| 424 } | |
| 418 | 425 |
| 419 // read flags | 426 // read flags |
| 420 msg->flags = ReadUint32(cursor); | 427 msg->flags = ReadUint32(cursor); |
| 421 | 428 |
| 422 // read challenge | 429 // read challenge |
| 423 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); | 430 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); |
| 424 cursor += sizeof(msg->challenge); | 431 cursor += sizeof(msg->challenge); |
| 425 | 432 |
| 426 NTLM_LOG(("NTLM type 2 message:\n")); | 433 NTLM_LOG(("NTLM type 2 message:\n")); |
| 427 LogBuf("target", (const uint8*) msg->target, msg->target_len); | 434 LogBuf("target", (const uint8*) msg->target, msg->target_len); |
| (...skipping 348 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 776 rv = GenerateType1Msg(out_token, out_token_len); | 783 rv = GenerateType1Msg(out_token, out_token_len); |
| 777 } | 784 } |
| 778 | 785 |
| 779 if (rv == OK) | 786 if (rv == OK) |
| 780 LogToken("out-token", *out_token, *out_token_len); | 787 LogToken("out-token", *out_token, *out_token_len); |
| 781 | 788 |
| 782 return rv; | 789 return rv; |
| 783 } | 790 } |
| 784 | 791 |
| 785 } // namespace net | 792 } // namespace net |
| OLD | NEW |
