Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(371)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/http_auth_handler_ntlm.cc

Issue 155311: Validate offset / length of extra field in the message. Note these fields are... (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/
Patch Set: Created 11 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/http_auth_handler_ntlm.cc
===================================================================
--- net/http/http_auth_handler_ntlm.cc (revision 19403)
+++ net/http/http_auth_handler_ntlm.cc (working copy)
@@ -411,10 +411,17 @@
cursor += sizeof(NTLM_TYPE2_MARKER);
// read target name security buffer
- msg->target_len = ReadUint16(cursor);
+ uint32 target_len = ReadUint16(cursor);
ReadUint16(cursor); // discard next 16-bit value
uint32 offset = ReadUint32(cursor); // get offset from in_buf
- msg->target = ((const uint8*) in_buf) + offset;
+ msg->target_len = 0;
+ msg->target = NULL;
+ // Check the offset / length combo is in range of the input buffer, including
+ // integer overflow checking.
+ if (offset + target_len > offset && offset + target_len <= in_len) {
wtc 2009/07/13 18:07:30 Should we return ERR_UNEXPECTED or some other erro
+ msg->target_len = target_len;
+ msg->target = ((const uint8*) in_buf) + offset;
+ }
// read flags
msg->flags = ReadUint32(cursor);
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698