Description: Fix CVE-2013-1762 buffer overflow in NTLM authentication of the CONNECT protocol negotiation Origin: vendor Bug-Debian: http://bugs.debian.org/702267 Forwarded: no Author: Salvatore Bonaccorso Last-Update: 2013-04-22 --- a/src/protocol.c +++ b/src/protocol.c @@ -566,7 +566,7 @@ #define s_min(a, b) ((a)>(b)?(b):(a)) static void ntlm(CLI *c) { - char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt; + char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr; long content_length=0; /* no HTTP content */ /* send Proxy-Authorization (phase 1) */ @@ -582,8 +582,8 @@ line=fd_getline(c, c->remote_fd.fd); /* receive Proxy-Authenticate (phase 2) */ - if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */ - s_log(LOG_ERR, "NTLM authorization request rejected"); + if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) { + s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected"); do { /* read all headers */ line=fd_getline(c, c->remote_fd.fd); } while(*line); @@ -594,8 +594,13 @@ line=fd_getline(c, c->remote_fd.fd); if(isprefix(line, "Proxy-Authenticate: NTLM ")) ntlm2_txt=str_dup(line+25); - else if(isprefix(line, "Content-Length: ")) - content_length=atol(line+16); + else if(isprefix(line, "Content-Length: ")) { + content_length=strtol(line+16, &tmpstr, 10); + if(tmpstr==line+16 || *tmpstr || content_length<0) { + s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length"); + longjmp(c->err, 1); + } + } } while(*line); if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */ s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found"); @@ -603,7 +608,7 @@ } /* read and ignore HTTP content (if any) */ - while(content_length) { + while(content_length>0) { read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ)); content_length-=s_min(content_length, BUFSIZ); }