While I've been trying to code up the 'Negotiate' (SPNEGO) support for Squid, I have seen a lot of:
ntlm_request->authchallenge = xstrndup(reply, NTLM_CHALLENGE_SZ
+ 5);
These worry me - not only are these packets not fixed size, Squid has no
way of knowing what they should be!
There are parts of the NTLMSSP protocol that can expand - like the DNS
and domain names - send by both clients and servers. I'm worried that
artificial limitations will just bite some unfortunate user. (I found
a similar issue in Samba, where a only the BBC had enough servers to
fill a fixed-length buffer. It took months to track down...)
Is there any reason not to simply use strdup() here?
Andrew Bartlett
signature.asc
Description: This is a digitally signed message part
