debmon/stunnel4
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
8e474e5321
stunnel4/debian/patches/CVE-2013-1762.patch
Salvatore Bonaccorso 8e474e5321 Imported Debian patch 3:4.53-1.1
2017-03-28 09:58:14 +02:00

57 lines
2.1 KiB
Diff
Raw Blame History

Description: Fix CVE-2013-1762
buffer overflow in NTLM authentication of the CONNECT protocol
negotiation
Origin: vendor
Bug-Debian: http://bugs.debian.org/702267
Forwarded: no
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2013-04-22
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -566,7 +566,7 @@
#define s_min(a, b) ((a)>(b)?(b):(a))
static void ntlm(CLI *c) {
- char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt;
+ char *line, buf[BUFSIZ], *ntlm1_txt, *ntlm2_txt, *ntlm3_txt, *tmpstr;
long content_length=0; /* no HTTP content */
/* send Proxy-Authorization (phase 1) */
@@ -582,8 +582,8 @@
line=fd_getline(c, c->remote_fd.fd);
/* receive Proxy-Authenticate (phase 2) */
- if(line[9]!='4' || line[10]!='0' || line[11]!='7') { /* code 407 */
- s_log(LOG_ERR, "NTLM authorization request rejected");
+ if(!isprefix(line, "HTTP/1.0 407") && !isprefix(line, "HTTP/1.1 407")) {
+ s_log(LOG_ERR, "Proxy-Authenticate: NTLM authorization request rejected");
do { /* read all headers */
line=fd_getline(c, c->remote_fd.fd);
} while(*line);
@@ -594,8 +594,13 @@
line=fd_getline(c, c->remote_fd.fd);
if(isprefix(line, "Proxy-Authenticate: NTLM "))
ntlm2_txt=str_dup(line+25);
- else if(isprefix(line, "Content-Length: "))
- content_length=atol(line+16);
+ else if(isprefix(line, "Content-Length: ")) {
+ content_length=strtol(line+16, &tmpstr, 10);
+ if(tmpstr==line+16 || *tmpstr || content_length<0) {
+ s_log(LOG_ERR, "Proxy-Authenticate: Invalid Content-Length");
+ longjmp(c->err, 1);
+ }
+ }
} while(*line);
if(!ntlm2_txt) { /* no Proxy-Authenticate: NTLM header */
s_log(LOG_ERR, "Proxy-Authenticate: NTLM header not found");
@@ -603,7 +608,7 @@
}
/* read and ignore HTTP content (if any) */
- while(content_length) {
+ while(content_length>0) {
read_blocking(c, c->remote_fd.fd, buf, s_min(content_length, BUFSIZ));
content_length-=s_min(content_length, BUFSIZ);
}
Reference in New Issue View Git Blame Copy Permalink