[libsoup/ntlm-v2-heap-buffer-overflow: 2/2] NTLM: Avoid a potential heap buffer overflow in v2 authentication

[Claudio Saavedra <csaavedra src gnome org>]

commit f8a54ac85eec2008c85393f331cdd251af8266ad
Author: Claudio Saavedra <csaavedra igalia com>
Date:   Mon Oct 7 16:32:15 2019 +0300

    NTLM: Avoid a potential heap buffer overflow in v2 authentication
    
    Check the length of the decoded v2 challenge before attempting to
    parse it, to avoid reading past it.
    
    Fixes #173

 libsoup/soup-auth-ntlm.c | 6 ++++++
 1 file changed, 6 insertions(+)
---
diff --git a/libsoup/soup-auth-ntlm.c b/libsoup/soup-auth-ntlm.c
index ce0b0f5c..2d078461 100644
--- a/libsoup/soup-auth-ntlm.c
+++ b/libsoup/soup-auth-ntlm.c
@@ -731,6 +731,12 @@ soup_ntlm_parse_challenge (const char *challenge,
        *ntlmv2_session = (flags & NTLM_FLAGS_NEGOTIATE_NTLMV2) ? TRUE : FALSE;
        /* To know if NTLMv2 responses should be calculated */
        *negotiate_target = (flags & NTLM_FLAGS_NEGOTIATE_TARGET_INFORMATION ) ? TRUE : FALSE;
+        if (*negotiate_target) {
+            if (clen < NTLM_CHALLENGE_TARGET_INFORMATION_OFFSET + sizeof (target)) {
+                g_free (chall);
+                return FALSE;
+            }
+        }
 
        if (default_domain) {
                memcpy (&domain, chall + NTLM_CHALLENGE_DOMAIN_STRING_OFFSET, sizeof (domain));