OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/http_auth_handler_ntlm.h" | 5 #include "net/http/http_auth_handler_ntlm.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 // For gethostname | 8 // For gethostname |
9 #if defined(OS_POSIX) | 9 #if defined(OS_POSIX) |
10 #include <unistd.h> | 10 #include <unistd.h> |
(...skipping 347 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
358 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) | 358 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) |
359 return ERR_UNEXPECTED; | 359 return ERR_UNEXPECTED; |
360 cursor += sizeof(NTLM_TYPE2_MARKER); | 360 cursor += sizeof(NTLM_TYPE2_MARKER); |
361 | 361 |
362 // read target name security buffer | 362 // read target name security buffer |
363 uint32_t target_len = ReadUint16(cursor); | 363 uint32_t target_len = ReadUint16(cursor); |
364 ReadUint16(cursor); // discard next 16-bit value | 364 ReadUint16(cursor); // discard next 16-bit value |
365 uint32_t offset = ReadUint32(cursor); // get offset from in_buf | 365 uint32_t offset = ReadUint32(cursor); // get offset from in_buf |
366 msg->target_len = 0; | 366 msg->target_len = 0; |
367 msg->target = NULL; | 367 msg->target = NULL; |
368 // Check the offset / length combo is in range of the input buffer, including | 368 |
369 // integer overflow checking. | 369 // Target length 0 is valid and indicates no target information. |
370 if (offset + target_len > offset && offset + target_len <= in_len) { | 370 if (target_len != 0) { |
371 msg->target_len = target_len; | 371 // Check the offset / length combo is in range of the input buffer, |
372 msg->target = ((const uint8_t*)in_buf) + offset; | 372 // including integer overflow checking. |
| 373 if (offset + target_len > offset && offset + target_len <= in_len) { |
| 374 msg->target_len = target_len; |
| 375 msg->target = ((const uint8_t*)in_buf) + offset; |
| 376 } else { |
| 377 // Reject a message with a non-zero target length that |
| 378 // would cause an overflow. |
| 379 return ERR_UNEXPECTED; |
| 380 } |
373 } | 381 } |
374 | 382 |
375 // read flags | 383 // read flags |
376 msg->flags = ReadUint32(cursor); | 384 msg->flags = ReadUint32(cursor); |
377 | 385 |
378 // read challenge | 386 // read challenge |
379 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); | 387 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); |
380 cursor += sizeof(msg->challenge); | 388 cursor += sizeof(msg->challenge); |
381 | 389 |
382 NTLM_LOG(("NTLM type 2 message:\n")); | 390 NTLM_LOG(("NTLM type 2 message:\n")); |
(...skipping 279 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
662 // of NTLM. | 670 // of NTLM. |
663 std::unique_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM); | 671 std::unique_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM); |
664 if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin, | 672 if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin, |
665 net_log)) | 673 net_log)) |
666 return ERR_INVALID_RESPONSE; | 674 return ERR_INVALID_RESPONSE; |
667 handler->swap(tmp_handler); | 675 handler->swap(tmp_handler); |
668 return OK; | 676 return OK; |
669 } | 677 } |
670 | 678 |
671 } // namespace net | 679 } // namespace net |
OLD | NEW |