OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/http_auth_handler_ntlm.h" | 5 #include "net/http/http_auth_handler_ntlm.h" |
6 | 6 |
7 #include <stdlib.h> | 7 #include <stdlib.h> |
8 // For gethostname | 8 // For gethostname |
9 #if defined(OS_POSIX) | 9 #if defined(OS_POSIX) |
10 #include <unistd.h> | 10 #include <unistd.h> |
11 #elif defined(OS_WIN) | 11 #elif defined(OS_WIN) |
12 #include <winsock2.h> | 12 #include <winsock2.h> |
13 #endif | 13 #endif |
14 | 14 |
15 #include "base/md5.h" | 15 #include "base/md5.h" |
16 #include "base/rand_util.h" | 16 #include "base/rand_util.h" |
17 #include "base/strings/string_util.h" | 17 #include "base/strings/string_util.h" |
18 #include "base/strings/sys_string_conversions.h" | 18 #include "base/strings/sys_string_conversions.h" |
19 #include "base/strings/utf_string_conversions.h" | 19 #include "base/strings/utf_string_conversions.h" |
20 #include "net/base/net_errors.h" | 20 #include "net/base/net_errors.h" |
21 #include "net/base/network_interfaces.h" | 21 #include "net/base/network_interfaces.h" |
22 #include "net/http/des.h" | 22 #include "net/ntlm/des.h" |
23 #include "net/http/md4.h" | 23 #include "net/ntlm/md4.h" |
24 | 24 |
25 namespace net { | 25 namespace net { |
26 | 26 |
27 // Based on mozilla/security/manager/ssl/src/nsNTLMAuthModule.cpp, | 27 // Based on mozilla/security/manager/ssl/src/nsNTLMAuthModule.cpp, |
28 // CVS rev. 1.14. | 28 // CVS rev. 1.14. |
29 // | 29 // |
30 // TODO(wtc): | 30 // TODO(wtc): |
31 // - The IS_BIG_ENDIAN code is not tested. | 31 // - The IS_BIG_ENDIAN code is not tested. |
32 // - Enable the logging code or just delete it. | 32 // - Enable the logging code or just delete it. |
33 // - Delete or comment out the LM code, which hasn't been tested and isn't | 33 // - Delete or comment out the LM code, which hasn't been tested and isn't |
(...skipping 322 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
356 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) | 356 if (memcmp(cursor, NTLM_TYPE2_MARKER, sizeof(NTLM_TYPE2_MARKER)) != 0) |
357 return ERR_UNEXPECTED; | 357 return ERR_UNEXPECTED; |
358 cursor += sizeof(NTLM_TYPE2_MARKER); | 358 cursor += sizeof(NTLM_TYPE2_MARKER); |
359 | 359 |
360 // read target name security buffer | 360 // read target name security buffer |
361 uint32_t target_len = ReadUint16(cursor); | 361 uint32_t target_len = ReadUint16(cursor); |
362 ReadUint16(cursor); // discard next 16-bit value | 362 ReadUint16(cursor); // discard next 16-bit value |
363 uint32_t offset = ReadUint32(cursor); // get offset from in_buf | 363 uint32_t offset = ReadUint32(cursor); // get offset from in_buf |
364 msg->target_len = 0; | 364 msg->target_len = 0; |
365 msg->target = NULL; | 365 msg->target = NULL; |
366 // Check the offset / length combo is in range of the input buffer, including | 366 |
367 // integer overflow checking. | 367 // Target length 0 is valid and indicates no target information. |
368 if (offset + target_len > offset && offset + target_len <= in_len) { | 368 if (target_len != 0) { |
369 msg->target_len = target_len; | 369 // Check the offset / length combo is in range of the input buffer, |
370 msg->target = ((const uint8_t*)in_buf) + offset; | 370 // including integer overflow checking. |
| 371 if (target_len <= in_len && in_len - offset >= target_len) { |
| 372 msg->target_len = target_len; |
| 373 msg->target = ((const uint8_t*)in_buf) + offset; |
| 374 } else { |
| 375 // Reject a message with a non-zero target length that |
| 376 // would cause an overflow. |
| 377 return ERR_UNEXPECTED; |
| 378 } |
371 } | 379 } |
372 | 380 |
373 // read flags | 381 // read flags |
374 msg->flags = ReadUint32(cursor); | 382 msg->flags = ReadUint32(cursor); |
375 | 383 |
376 // read challenge | 384 // read challenge |
377 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); | 385 memcpy(msg->challenge, cursor, sizeof(msg->challenge)); |
378 cursor += sizeof(msg->challenge); | 386 cursor += sizeof(msg->challenge); |
379 | 387 |
380 NTLM_LOG(("NTLM type 2 message:\n")); | 388 NTLM_LOG(("NTLM type 2 message:\n")); |
(...skipping 277 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
658 // of NTLM. | 666 // of NTLM. |
659 std::unique_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM); | 667 std::unique_ptr<HttpAuthHandler> tmp_handler(new HttpAuthHandlerNTLM); |
660 if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin, | 668 if (!tmp_handler->InitFromChallenge(challenge, target, ssl_info, origin, |
661 net_log)) | 669 net_log)) |
662 return ERR_INVALID_RESPONSE; | 670 return ERR_INVALID_RESPONSE; |
663 handler->swap(tmp_handler); | 671 handler->swap(tmp_handler); |
664 return OK; | 672 return OK; |
665 } | 673 } |
666 | 674 |
667 } // namespace net | 675 } // namespace net |
OLD | NEW |