smb: ntlmssp domain_blob_offset underflow check

author Philippe Antoine <contact@catenacyber.fr>

Mon, 4 Apr 2022 20:51:01 +0000 (22:51 +0200)

committer Jason Ish <jason.ish@oisf.net>

Tue, 19 Apr 2022 21:59:14 +0000 (15:59 -0600)
author Philippe Antoine <contact@catenacyber.fr>
Mon, 4 Apr 2022 20:51:01 +0000 (22:51 +0200)
committer Jason Ish <jason.ish@oisf.net>
Tue, 19 Apr 2022 21:59:14 +0000 (15:59 -0600)
diff --git a/rust/src/smb/ntlmssp_records.rs b/rust/src/smb/ntlmssp_records.rs

index d5d8c5125c225d8e9c36558d407165db480e03b0..02a3eab709450314f8c9dec1d065da2e4157393b 100644 (file)
--- a/rust/src/smb/ntlmssp_records.rs
+++ b/rust/src/smb/ntlmssp_records.rs
@@ -87,9 +87,10 @@ named!(pub parse_ntlm_auth_record<NTLMSSPAuthRecord>,
  
           // subtrack 12 as idenfier (8) and type (4) are cut before we are called
           // subtract 60 for the len/offset/maxlen fields above
-         >> cond!(nego_flags.1==1, take!(domain_blob_offset - (12 + 60)))
+         >> cond!(nego_flags.1==1 && domain_blob_offset > 72, take!(domain_blob_offset - (12 + 60)))
+
           // or 52 if we have no version
-         >> cond!(nego_flags.1==0, take!(domain_blob_offset - (12 + 52)))
+         >> cond!(nego_flags.1==0 && domain_blob_offset > 64, take!(domain_blob_offset - (12 + 52)))
  
           >> domain_blob: take!(domain_blob_len)
           >> user_blob: take!(user_blob_len)
author	Philippe Antoine <contact@catenacyber.fr>
	Mon, 4 Apr 2022 20:51:01 +0000 (22:51 +0200)
committer	Jason Ish <jason.ish@oisf.net>
	Tue, 19 Apr 2022 21:59:14 +0000 (15:59 -0600)