From: Alex Rousskov Date: Fri, 20 Oct 2023 22:24:45 +0000 (+0000) Subject: negotiate_wrapper_auth: protect from responses over 64KB (#1530) X-Git-Tag: SQUID_7_0_1~321 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3238ca57c7896f7ab1c58ee078ca7ba91fdaf69f;p=thirdparty%2Fsquid.git negotiate_wrapper_auth: protect from responses over 64KB (#1530) ... received from NTLM and Kerberos helpers. This code uses MAX_AUTHTOKEN_LEN (~64KB) buffers to read response lines. fgets(3) guarantees to terminate the supplied buffer, but it does not return nil when the input line is larger than the buffer. We have already detected such "Oversized message" cases for fgets(stdin) calls, but not for fgets(FDNOUT) and fgets(FDKOUT) calls. --- diff --git a/src/auth/negotiate/wrapper/negotiate_wrapper.cc b/src/auth/negotiate/wrapper/negotiate_wrapper.cc index 5d70b171d8..b53391c370 100644 --- a/src/auth/negotiate/wrapper/negotiate_wrapper.cc +++ b/src/auth/negotiate/wrapper/negotiate_wrapper.cc @@ -224,6 +224,13 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT) LogTime(), PROGRAM); return 0; } + + if (!memchr(tbuff, '\n', sizeof(tbuff) - 1)) { + fprintf(stderr, "%s| %s: Oversized NTLM helper response\n", + LogTime(), PROGRAM); + return 0; + } + /* * Need to translate NTLM reply to Negotiate reply: * AF user => AF blob user @@ -256,6 +263,12 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT, FILE *FDNIN, FILE *FDNOUT) LogTime(), PROGRAM); return 0; } + + if (!memchr(buff, '\n', sizeof(buff) - 1)) { + fprintf(stderr, "%s| %s: Oversized Kerberos helper response\n", + LogTime(), PROGRAM); + return 0; + } } buff[sizeof(buff)-1] = '\0'; // paranoid; already terminated correctly fprintf(stdout,"%s",buff);