From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 18 May 2020 09:33:39 +0000 (+0300)
Subject: lib-ntlm: Check buffer length on responses
X-Git-Tag: 2.3.11.2~65
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c6405d3026e5ceae3d214d63945bba85251af4c;p=thirdparty%2Fdovecot%2Fcore.git

lib-ntlm: Check buffer length on responses

Add missing check for buffer length.

If this is not checked, it is possible to send message which
causes read past buffer bug.

Broken in c7480644202e5451fbed448508ea29a25cffc99c
---

diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
index 160b9f918c..a29413b47e 100644
--- a/src/lib-ntlm/ntlm-message.c
+++ b/src/lib-ntlm/ntlm-message.c
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
 	if (length == 0 && space == 0)
 		return TRUE;
 
+	if (length > data_size) {
+		*error = "buffer length out of bounds";
+		return FALSE;
+	}
+
 	if (offset >= data_size) {
 		*error = "buffer offset out of bounds";
 		return FALSE;