From d510accb39f07ae0abfa0b5cdf2e834a41872cde Mon Sep 17 00:00:00 2001
From: Kai Blin <kai@samba.org>
Date: Thu, 30 Aug 2007 09:02:40 +0000
Subject: r24796: Add bounds checking to ntlm_auth, increase initial buffer
 size to 300 to avoid one talloc/fgets loop in the common case, which is
 slightly over 200 for the KK response. (This used to be commit
 ba5ac4eeb8086d50e829e1a9944ea89a28eeef2c)

---
 source4/utils/ntlm_auth.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

(limited to 'source4')

diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index 162470dd95..f999995daf 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -38,7 +38,8 @@
 #include "lib/messaging/irpc.h"
 #include "auth/ntlmssp/ntlmssp.h"
 
-#define INITIAL_BUFFER_SIZE 200
+#define INITIAL_BUFFER_SIZE 300
+#define MAX_BUFFER_SIZE 63000
 
 enum stdio_helper_mode {
 	SQUID_2_4_BASIC,
@@ -871,7 +872,7 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode,
 	char *buf;
 	char tmp[INITIAL_BUFFER_SIZE+1];
 	unsigned int mux_id = 0;
-	int length;
+	int length, buf_size = 0;
 	char *c;
 	struct mux_private {
 		unsigned int max_mux;
@@ -907,6 +908,15 @@ static void manage_squid_request(enum stdio_helper_mode helper_mode,
 		}
 
 		buf = talloc_append_string(buf, buf, tmp);
+		buf_size += INITIAL_BUFFER_SIZE;
+
+		if (buf_size > MAX_BUFFER_SIZE) {
+			DEBUG(0, ("Invalid Request (too large)\n"));
+			x_fprintf(x_stdout, "ERR\n");
+			talloc_free(buf);
+			return;
+		}
+
 		c = strchr(buf, '\n');
 	} while (c == NULL);
 
-- 
cgit