From: Alexey <bigalex934@gmail.com>
Date: Sun, 21 Jan 2024 16:24:57 +0000 (+0000)
Subject: NTLM/Negotiate: Fix crash on bad helper TT responses (#1645)
X-Git-Tag: SQUID_6_7~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a0dc688e6d6b767224ca74ba828c41ae56646123;p=thirdparty%2Fsquid.git

NTLM/Negotiate: Fix crash on bad helper TT responses (#1645)

Helper lookup may be made without a client HTTP Request,
(stored in lm_request->request). But in Helper::TT cases the
lm_request->request was dereferenced without any checks.
---

diff --git a/src/auth/negotiate/UserRequest.cc b/src/auth/negotiate/UserRequest.cc
index abe07d89ce..83756967fd 100644
--- a/src/auth/negotiate/UserRequest.cc
+++ b/src/auth/negotiate/UserRequest.cc
@@ -301,8 +301,11 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const Helper::Reply &reply
     case Helper::TT:
         /* we have been given a blob to send to the client */
         safe_free(lm_request->server_blob);
-        lm_request->request->flags.mustKeepalive = true;
-        if (lm_request->request->flags.proxyKeepalive) {
+
+        if (lm_request->request)
+            lm_request->request->flags.mustKeepalive = true;
+
+        if (lm_request->request && lm_request->request->flags.proxyKeepalive) {
             const char *tokenNote = reply.notes.findFirst("token");
             lm_request->server_blob = xstrdup(tokenNote);
             auth_user_request->user()->credentials(Auth::Handshake);
diff --git a/src/auth/ntlm/UserRequest.cc b/src/auth/ntlm/UserRequest.cc
index f6f4d87ac9..2fb2995154 100644
--- a/src/auth/ntlm/UserRequest.cc
+++ b/src/auth/ntlm/UserRequest.cc
@@ -295,8 +295,11 @@ Auth::Ntlm::UserRequest::HandleReply(void *data, const Helper::Reply &reply)
     case Helper::TT:
         /* we have been given a blob to send to the client */
         safe_free(lm_request->server_blob);
-        lm_request->request->flags.mustKeepalive = true;
-        if (lm_request->request->flags.proxyKeepalive) {
+
+        if (lm_request->request)
+            lm_request->request->flags.mustKeepalive = true;
+
+        if (lm_request->request && lm_request->request->flags.proxyKeepalive) {
             const char *serverBlob = reply.notes.findFirst("token");
             lm_request->server_blob = xstrdup(serverBlob);
             auth_user_request->user()->credentials(Auth::Handshake);