r24796: Add bounds checking to ntlm_auth, increase initial buffer size to 300 to avoid

one talloc/fgets loop in the common case, which is slightly over 200 for the KK
response.
(This used to be commit ba5ac4eeb8086d50e829e1a9944ea89a28eeef2c)

1 files changed, 12 insertions, 2 deletions

diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 162470dd95..f999995daf 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -38,7 +38,8 @@
 #include "lib/messaging/irpc.h"
 #include "auth/ntlmssp/ntlmssp.h"
 
-#define INITIAL_BUFFER_SIZE 200
+#define INITIAL_BUFFER_SIZE 300
+#define MAX_BUFFER_SIZE 63000
 
 enum stdio_helper_mode {
 	SQUID_2_4_BASIC,
@@ -871,7 +872,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode,
 	char *buf;
 	char tmp[INITIAL_BUFFER_SIZE+1];
 	unsigned int mux_id = 0;
-	int length;
+	int length, buf_size = 0;
 	char *c;
 	struct mux_private {
 		unsigned int max_mux;
@@ -907,6 +908,15 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode,
 		}
 
 		buf = talloc_append_string(buf, buf, tmp);
+		buf_size += INITIAL_BUFFER_SIZE;
+
+		if (buf_size > MAX_BUFFER_SIZE) {
+			DEBUG(0, ("Invalid Request (too large)\n"));
+			x_fprintf(x_stdout, "ERR\n");
+			talloc_free(buf);
+			return;
+		}
+
 		c = strchr(buf, '\n');
 	} while (c == NULL);