From patchwork Wed Jan 17 08:59:51 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 3572
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id
 bs19csp4709796dyb;
        Wed, 17 Jan 2024 01:00:41 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IF5jFaRsWH04iMbT3ZCNclfN1QMD8njsmX7rpaKcJ7wgZWgcNLIHxn1Ji4I5rnFXz/k+fj6
X-Received: by 2002:a05:6358:6f18:b0:176:fac:254 with SMTP id
 r24-20020a0563586f1800b001760fac0254mr769296rwn.0.1705482041290;
        Wed, 17 Jan 2024 01:00:41 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1705482041; cv=none;
        d=google.com; s=arc-20160816;
        b=kjFBEl3H6IVBCTzNEvCSnzzSfmHqbRIKOSJU7hIbAkojuYEfjuDmN4AaUuSKJOVzAc
         iO4C7D9eQHeJh8s7XV34Or4Ub6Cr8zP+QE9htnxKlrH4GrQLnKoIV4skwjaXVTcd5zv9
         Sl3Ael31X6KlcHsOdnT0snqGsTP6OOKk+cjEVysjGFCNVIO09DO4sZ1qdoKuOBgWypuQ
         VK2g6R1nmdWWBSH9pKDAkWSpB5jMwK0xEiYA0f0pdHe8kYaYr8QsU9gkBHQlmdN8Kfbj
         gF2UpPbMEZ6+Zd8yFCIFGz6rgwc/4ugbx+GnLTnMu80PYNNSE/jef6mYxj5Zk5UqJhSE
         yoCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=NPytFEVXMzbF+LJ4yz1cWO8FSvwn1JOY1DdyIm8eKHg=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=YALTDvsBAi5MnTjbZ2KxNQrtry2hgsRi888GQzeGSyZY0QmsAdkgsZ1zVZMoEo8e+W
         QtTFRL4Sn9mCgGEtVv0qbkZgFfbm3Qb32+rm9qH7wVtxahx/+WCiU/q8XjIKiHZMBHqo
         T3/lwofCoevnSvcGYKx8ijDLJho4Zj/e6D7eYOc61RV44/VU1dTO9IaE2JJiqKLcq2/d
         mv0y1DhYrL0+vltvm880z+or5kJcN//4JkJN6fAT/13XAWTneTTNs3w6VqOeatP7r8n7
         +ITwqlkF/4R3rsLpUrki+F8X7zNPxl+0F1v6P5p75UTEjg6PpPNUUemjvgTuBX0/Hu/2
         k6mg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=HRKhoBDI;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Jl15PjO2;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 cq12-20020a056a00330c00b006d9ad5d13f2si1224955pfb.137.2024.01.17.01.00.41
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 17 Jan 2024 01:00:41 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=HRKhoBDI;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=Jl15PjO2;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com)
	by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1rQ1mM-0003RC-0s;
	Wed, 17 Jan 2024 09:00:10 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue.greenie.muc.de>) id 1rQ1mJ-0003R5-UA
 for openvpn-devel@lists.sourceforge.net;
 Wed, 17 Jan 2024 09:00:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=7A5lcNFY5oAt7kT95frxovOBtiHObB6K/1a/d2J2tO4=; b=HRKhoBDIiD3LYURaDg1XUskHmZ
 cGYn3HNmzWO6cOq/KAXURAaS3h0GsxdginI3C0AMgCMHvvtqG9CAVoDH0dSLZDMg9SIasfbkjp5W8
 QMwTq6Ie8q8VhPn4DD9Ud5CPISlEWZF2XeX6Iz3bLpVFNhG5qcsB8fj0OUrEPHVSx85I=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=7A5lcNFY5oAt7kT95frxovOBtiHObB6K/1a/d2J2tO4=; b=Jl15PjO2ExMtRyuG0SBE+tZsZi
 ywBq1WuWg3pvb6fZY9QRICmyDU7DyzR9BBInnOt0YVtRMi37HvnNjGTe572rL92MsYxuW6rWIb+hw
 kTMpo4vsAr8JrEIqVJRMXwBeZP5hZZM/1skbOJurLpcLahU84bl+235vINpazWROPJ+0=;
Received: from dhcp-174.greenie.muc.de ([193.149.48.174]
 helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1rQ1mF-0003Al-5Q for openvpn-devel@lists.sourceforge.net;
 Wed, 17 Jan 2024 09:00:07 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 40H8xqsu027424
 for <openvpn-devel@lists.sourceforge.net>; Wed, 17 Jan 2024 09:59:52 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 40H8xqT4027423
 for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 09:59:52 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 17 Jan 2024 09:59:51 +0100
Message-ID: <20240117085951.27414-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
 <gerrit.1705068839000.Icea931d29e3e504e23e045539b21013b42172664@gerrit.openvpn.net>
References: 
 <gerrit.1705068839000.Icea931d29e3e504e23e045539b21013b42172664@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Frank Lichtenheld <frank@lichtenheld.com> Especially
 ntlmv2_response can be very big, so make sure we not do exceed the size of
 the phase3 buffer. Change-Id: Icea931d29e3e504e23e045539b21013b42172664
 Signed-off-by:
 Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering
 <gert@greenie.muc.de> ---
 Content analysis details:   (-0.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1rQ1mF-0003Al-5Q
Subject: [Openvpn-devel] [PATCH v1] NTLM: add length check to
 add_security_buffer
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1788327536733717160?=
X-GMAIL-MSGID: =?utf-8?q?1788327536733717160?=

From: Frank Lichtenheld <frank@lichtenheld.com>

Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.

Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/496
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index bc33f41..99d4ae7 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -154,8 +154,13 @@
 
 static void
 add_security_buffer(int sb_offset, void *data, int length,
-                    unsigned char *msg_buf, int *msg_bufpos)
+                    unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize)
 {
+    if (*msg_bufpos + length > msg_bufsize)
+    {
+        msg(M_WARN, "NTLM: security buffer too big for message buffer");
+        return;
+    }
     /* Adds security buffer data to a message and sets security buffer's
      * offset and length */
     msg_buf[sb_offset] = (unsigned char)length;
@@ -362,15 +367,15 @@
 
     /* NTLMv2 response */
     add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
-                        phase3, &phase3_bufpos);
+                        phase3, &phase3_bufpos, sizeof(phase3));
 
     /* username in ascii */
     add_security_buffer(0x24, username, strlen(username), phase3,
-                        &phase3_bufpos);
+                        &phase3_bufpos, sizeof(phase3));
 
     /* Set domain. If <domain> is empty, default domain will be used
      * (i.e. proxy's domain) */
-    add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos);
+    add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3));
 
     /* other security buffers will be empty */
     phase3[0x10] = phase3_bufpos;     /* lm not used */