---------------------
PatchSet 3588 
Date: 2002/01/11 14:27:11
Author: kinkie
Branch: ntlm
Tag: (none) 
Log:
Added code to prevent possible buffer overruns.

Members: 
	src/auth/ntlm/helpers/winbind/wb_ntlm_auth.c:1.1.2.8->1.1.2.9 

Index: squid/src/auth/ntlm/helpers/winbind/wb_ntlm_auth.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/auth/ntlm/helpers/winbind/Attic/wb_ntlm_auth.c,v
retrieving revision 1.1.2.8
retrieving revision 1.1.2.9
diff -u -r1.1.2.8 -r1.1.2.9
--- squid/src/auth/ntlm/helpers/winbind/wb_ntlm_auth.c	4 Jan 2002 10:24:57 -0000	1.1.2.8
+++ squid/src/auth/ntlm/helpers/winbind/wb_ntlm_auth.c	11 Jan 2002 14:27:11 -0000	1.1.2.9
@@ -28,6 +28,10 @@
 #include "winbind_nss_config.h"
 #include "winbindd_nss.h"
 
+#ifndef min
+#define min(x,y) ((x)<(y)?(x):(y))
+#endif
+
 char debug_enabled=1;
 char *myname;
 pid_t mypid;
@@ -108,7 +112,7 @@
 
 void do_authenticate(ntlm_authenticate *auth, int auth_length) {
 	lstring tmp;
-	int offset=0;
+	int offset=0,tocopy;
 	struct winbindd_request request;
 	struct winbindd_response response;
 	NSS_STATUS winbindd_result;
@@ -119,9 +123,10 @@
 		SEND("NA No domain supplied");
 		return;
 	}
-	memcpy(domuser, tmp.str, tmp.l);
-	domuser[tmp.l]='\\';
-	offset=tmp.l+1;
+	tocopy=min(tmp.l,sizeof(domuser));
+	xstrncpy(domuser, tmp.str, tocopy);
+	domuser[tocopy]='\\';
+	offset=tocopy+1;
 	
 	/* username */
 	tmp = ntlm_fetch_string((char *) auth, auth_length, &auth->user);
@@ -129,8 +134,9 @@
 		SEND("NA No username in request");
 		return;
 	}
-	memcpy(domuser+offset,tmp.str,tmp.l);
-	domuser[offset+tmp.l]='\0';
+	tocopy=min(sizeof(domuser-offset),tmp.l);
+	xstrncpy(domuser+offset,tmp.str,tocopy);
+	domuser[offset+tocopy]='\0';
 	
 	/* now the LM hash */
 	lmhash = ntlm_fetch_string((char *) auth, auth_length, &auth->lmresponse);
@@ -138,6 +144,10 @@
 		SEND("NA No lm hash");
 		return;
 	}
+	if (lmhash.l != 24) {
+		SEND("NA broken lm hash");
+		return;
+	}
 	
 	nthash = ntlm_fetch_string((char *) auth, auth_length, &auth->ntresponse);
 	if (nthash.str == NULL || nthash.l == 0) {
@@ -145,6 +155,10 @@
 		nthash.str[0]='\0';
 		debug("No NT hash");
 	} else {
+		if (nthash.l != 24) {
+			SEND("NA nt hash supplied but broken");
+			return;
+		}
 		have_nthash=1;
 	}