From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 22 Oct 2025 05:54:33 +0000 (+0200)
Subject: ntlm: improved error path on bad incoming NTLM TYPE3 message
X-Git-Tag: curl-8_17_0~130
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d922db880c5235eeba481c5be2484d68f610dfff;p=thirdparty%2Fcurl.git

ntlm: improved error path on bad incoming NTLM TYPE3 message

No leaks

Reported-by: Tim Becker
Closes #19198
---

diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index 791fc87d11..d860fbbd50 100644
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -788,7 +788,8 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
   /* ntresplen + size should not be risking an integer overflow here */
   if(ntresplen + size > sizeof(ntlmbuf)) {
     failf(data, "incoming NTLM message too big");
-    return CURLE_OUT_OF_MEMORY;
+    result = CURLE_TOO_LARGE;
+    goto error;
   }
   DEBUGASSERT(size == (size_t)ntrespoff);
   memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
@@ -799,8 +800,6 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
     ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
   });
 
-  free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
-
   DEBUG_OUT({
     curl_mfprintf(stderr, "\n   flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
                   LONGQUARTET(ntlm->flags), ntlm->flags);
@@ -811,8 +810,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
   /* Make sure that the domain, user and host strings fit in the
      buffer before we copy them there. */
   if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
-    failf(data, "user + domain + hostname too big");
-    return CURLE_OUT_OF_MEMORY;
+    failf(data, "user + domain + hostname too big for NTLM");
+    result = CURLE_TOO_LARGE;
+    goto error;
   }
 
   DEBUGASSERT(size == domoff);
@@ -842,6 +842,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
   /* Return the binary blob. */
   result = Curl_bufref_memdup(out, ntlmbuf, size);
 
+error:
+  free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
+
   Curl_auth_cleanup_ntlm(ntlm);
 
   return result;