57 lines
2.1 KiB
Diff
57 lines
2.1 KiB
Diff
|
Description: Fix CVE-2013-1762
|
||
|
buffer overflow in NTLM authentication of the CONNECT protocol
|
||
|
negotiation
|
||
|
Origin: vendor
|
||
|
Bug-Debian: http://bugs.debian.org/702267
|
||
|
Forwarded: no
|
||
|
Author: Salvatore Bonaccorso <carnil@debian.org>
|
||
|
Last-Update: 2013-04-22
|
||
|
|
||
|
--- a/src/protocol.c
|
||
|
+++ b/src/protocol.c
|
||
|
@@ -566,7 +566,7 @@
|
||
|
#define s_min(a, b) ((a)>(b)?(b):(a))
|
||
|
|
||
|
static void ntlm(CLI *c) {
|
||
|
- char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
|
||
|
+ char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr;
|
||
|
long content_length=0; /* no HTTP content */
|
||
|
|
||
|
/* send Proxy-Authorization (phase 1) */
|
||
|
@@ -582,8 +582,8 @@
|
||
|
line=fd_getline(c, c->remote_fd.fd);
|
||
|
|
||
|
/* receive Proxy-Authenticate (phase 2) */
|
||
|
- if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
|
||
|
- s_log(LOG_ERR, "NTLM authorization request rejected");
|
||
|
+ if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) {
|
||
|
+ s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected");
|
||
|
do { /* read all headers */
|
||
|
line=fd_getline(c, c->remote_fd.fd);
|
||
|
} while(*line);
|
||
|
@@ -594,8 +594,13 @@
|
||
|
line=fd_getline(c, c->remote_fd.fd);
|
||
|
if(isprefix(line, "Proxy-Authenticate: NTLM "))
|
||
|
ntlm2_txt=str_dup(line+25);
|
||
|
- else if(isprefix(line, "Content-Length: "))
|
||
|
- content_length=atol(line+16);
|
||
|
+ else if(isprefix(line, "Content-Length: ")) {
|
||
|
+ content_length=strtol(line+16, &tmpstr, 10);
|
||
|
+ if(tmpstr==line+16 || *tmpstr || content_length<0) {
|
||
|
+ s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length");
|
||
|
+ longjmp(c->err, 1);
|
||
|
+ }
|
||
|
+ }
|
||
|
} while(*line);
|
||
|
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
|
||
|
s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found");
|
||
|
@@ -603,7 +608,7 @@
|
||
|
}
|
||
|
|
||
|
/* read and ignore HTTP content (if any) */
|
||
|
- while(content_length) {
|
||
|
+ while(content_length>0) {
|
||
|
read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ));
|
||
|
content_length-=s_min(content_length, BUFSIZ);
|
||
|
}
|