Author: kai Date: 2007-08-30 09:02:40 +0000 (Thu, 30 Aug 2007) New Revision: 24796
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24796 Log: Add bounds checking to ntlm_auth, increase initial buffer size to 300 to avoid one talloc/fgets loop in the common case, which is slightly over 200 for the KK response. Modified: branches/SAMBA_4_0/source/utils/ntlm_auth.c Changeset: Modified: branches/SAMBA_4_0/source/utils/ntlm_auth.c =================================================================== --- branches/SAMBA_4_0/source/utils/ntlm_auth.c 2007-08-30 06:45:11 UTC (rev 24795) +++ branches/SAMBA_4_0/source/utils/ntlm_auth.c 2007-08-30 09:02:40 UTC (rev 24796) @@ -38,7 +38,8 @@ #include "lib/messaging/irpc.h" #include "auth/ntlmssp/ntlmssp.h" -#define INITIAL_BUFFER_SIZE 200 +#define INITIAL_BUFFER_SIZE 300 +#define MAX_BUFFER_SIZE 63000 enum stdio_helper_mode { SQUID_2_4_BASIC, @@ -871,7 +872,7 @@ char *buf; char tmp[INITIAL_BUFFER_SIZE+1]; unsigned int mux_id = 0; - int length; + int length, buf_size = 0; char *c; struct mux_private { unsigned int max_mux; @@ -907,6 +908,15 @@ } buf = talloc_append_string(buf, buf, tmp); + buf_size += INITIAL_BUFFER_SIZE; + + if (buf_size > MAX_BUFFER_SIZE) { + DEBUG(0, ("Invalid Request (too large)\n")); + x_fprintf(x_stdout, "ERR\n"); + talloc_free(buf); + return; + } + c = strchr(buf, '\n'); } while (c == NULL);