Am 30.10.2015 um 14:58 schrieb Steffan Karger:
Hi Holger, On Fri, Oct 30, 2015 at 2:34 PM, Holger Kummert <[email protected]> wrote:static void -add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos) +add_security_buffer(int sb_offset, void *data, int length, unsigned char *msg_buf, int *msg_bufpos, int msg_buflen) { + if ((*msg_bufpos - *msg_buf) + length > msg_buflen) { + msg (M_INFO, "Warning: Not enough space in destination buffer"); + return; + } +I don't think this is what you intended, or does *msg_buf contain some magic length field? You probably want something like: ASSERT (length > 0 && *msg_bufpos > 0 && msg_buflen > 0); if (msg_buflen - length < msg_bufpos) { /* error */ } That should be an integer-overflow safe overflow check.Hmm, I think it won't work as msg_bufpos is a pointer into memory, right? What about improving the first version with ASSERT (length > 0 && *msg_bufpos > 0 && msg_buflen > 0); if ((msg_bufpos - msg_buf) + length > msg_buflen) { ...Seems I forgot the * before the second msg_bufpos, sorry. msg_bufpos itself is a pointer indeed, but *msg_bufpos is (used as) an offset into msg_buf: memcpy(&msg_buf[*msg_bufpos], data, msg_buf[sb_offset]); msg_bufpos (without the *) is not related to msg_buf.
Ah, then your first proposal makes sense (i.e. if (msg_buflen - length < *msg_bufpos) ) We could take that. Sry, didn't look into the ntlm-code ... Regards, Holger
