From a0dc688e6d6b767224ca74ba828c41ae56646123 Mon Sep 17 00:00:00 2001
From: Alexey <bigalex934@gmail.com>
Date: Sun, 21 Jan 2024 16:24:57 +0000
Subject: [PATCH] NTLM/Negotiate: Fix crash on bad helper TT responses (#1645)

Helper lookup may be made without a client HTTP Request,
(stored in lm_request->request). But in Helper::TT cases the
lm_request->request was dereferenced without any checks.
---
 src/auth/negotiate/UserRequest.cc | 7 +++++--
 src/auth/ntlm/UserRequest.cc      | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/auth/negotiate/UserRequest.cc b/src/auth/negotiate/UserRequest.cc
index abe07d89ce..83756967fd 100644
--- a/src/auth/negotiate/UserRequest.cc
+++ b/src/auth/negotiate/UserRequest.cc
@@ -301,8 +301,11 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const Helper::Reply &reply
     case Helper::TT:
         /* we have been given a blob to send to the client */
         safe_free(lm_request->server_blob);
-        lm_request->request->flags.mustKeepalive = true;
-        if (lm_request->request->flags.proxyKeepalive) {
+
+        if (lm_request->request)
+            lm_request->request->flags.mustKeepalive = true;
+
+        if (lm_request->request && lm_request->request->flags.proxyKeepalive) {
             const char *tokenNote = reply.notes.findFirst("token");
             lm_request->server_blob = xstrdup(tokenNote);
             auth_user_request->user()->credentials(Auth::Handshake);
diff --git a/src/auth/ntlm/UserRequest.cc b/src/auth/ntlm/UserRequest.cc
index f6f4d87ac9..2fb2995154 100644
--- a/src/auth/ntlm/UserRequest.cc
+++ b/src/auth/ntlm/UserRequest.cc
@@ -295,8 +295,11 @@ Auth::Ntlm::UserRequest::HandleReply(void *data, const Helper::Reply &reply)
     case Helper::TT:
         /* we have been given a blob to send to the client */
         safe_free(lm_request->server_blob);
-        lm_request->request->flags.mustKeepalive = true;
-        if (lm_request->request->flags.proxyKeepalive) {
+
+        if (lm_request->request)
+            lm_request->request->flags.mustKeepalive = true;
+
+        if (lm_request->request && lm_request->request->flags.proxyKeepalive) {
             const char *serverBlob = reply.notes.findFirst("token");
             lm_request->server_blob = xstrdup(serverBlob);
             auth_user_request->user()->credentials(Auth::Handshake);
-- 
2.47.2