[Openvpn-devel] [PATCH v1] NTLM: add length check to add_security_buffer

2024-01-17 Thread Gert Doering
From: Frank Lichtenheld 

Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.

Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.6.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/493
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering 


diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 2e77214..2b735ec 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -167,8 +167,13 @@
 
 static void
 add_security_buffer(int sb_offset, void *data, int length,
-unsigned char *msg_buf, int *msg_bufpos)
+unsigned char *msg_buf, int *msg_bufpos, size_t 
msg_bufsize)
 {
+if (*msg_bufpos + length > msg_bufsize)
+{
+msg(M_WARN, "NTLM: security buffer too big for message buffer");
+return;
+}
 /* Adds security buffer data to a message and sets security buffer's
  * offset and length */
 msg_buf[sb_offset] = (unsigned char)length;
@@ -396,20 +401,20 @@
 if (ntlmv2_enabled)  /* NTLMv2 response */
 {
 add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
-phase3, _bufpos);
+phase3, _bufpos, sizeof(phase3));
 }
 else   /* NTLM response */
 {
-add_security_buffer(0x14, ntlm_response, 24, phase3, _bufpos);
+add_security_buffer(0x14, ntlm_response, 24, phase3, _bufpos, 
sizeof(phase3));
 }
 
 /* username in ascii */
 add_security_buffer(0x24, username, strlen(username), phase3,
-_bufpos);
+_bufpos, sizeof(phase3));
 
 /* Set domain. If  is empty, default domain will be used
  * (i.e. proxy's domain) */
-add_security_buffer(0x1c, domain, strlen(domain), phase3, _bufpos);
+add_security_buffer(0x1c, domain, strlen(domain), phase3, _bufpos, 
sizeof(phase3));
 
 /* other security buffers will be empty */
 phase3[0x10] = phase3_bufpos; /* lm not used */


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] [PATCH v1] NTLM: add length check to add_security_buffer

2024-01-17 Thread Gert Doering
From: Frank Lichtenheld 

Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.

Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld 
Acked-by: Gert Doering 
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/496
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering 


diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index bc33f41..99d4ae7 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -154,8 +154,13 @@
 
 static void
 add_security_buffer(int sb_offset, void *data, int length,
-unsigned char *msg_buf, int *msg_bufpos)
+unsigned char *msg_buf, int *msg_bufpos, size_t 
msg_bufsize)
 {
+if (*msg_bufpos + length > msg_bufsize)
+{
+msg(M_WARN, "NTLM: security buffer too big for message buffer");
+return;
+}
 /* Adds security buffer data to a message and sets security buffer's
  * offset and length */
 msg_buf[sb_offset] = (unsigned char)length;
@@ -362,15 +367,15 @@
 
 /* NTLMv2 response */
 add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
-phase3, _bufpos);
+phase3, _bufpos, sizeof(phase3));
 
 /* username in ascii */
 add_security_buffer(0x24, username, strlen(username), phase3,
-_bufpos);
+_bufpos, sizeof(phase3));
 
 /* Set domain. If  is empty, default domain will be used
  * (i.e. proxy's domain) */
-add_security_buffer(0x1c, domain, strlen(domain), phase3, _bufpos);
+add_security_buffer(0x1c, domain, strlen(domain), phase3, _bufpos, 
sizeof(phase3));
 
 /* other security buffers will be empty */
 phase3[0x10] = phase3_bufpos; /* lm not used */


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel