From patchwork Wed Jan 17 09:17:11 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gert Doering <gert@greenie.muc.de>
X-Patchwork-Id: 3574
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:a213:b0:100:d2e5:60d with SMTP id
 bs19csp4717945dyb;
        Wed, 17 Jan 2024 01:17:50 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IGFiQyhv0izehOKJQBYoX06PJ9uYM8uU6b489mCrWiGomu60qxFYTYc+s40mxiC4iu1mdFQ
X-Received: by 2002:a05:6e02:1bcb:b0:360:968d:bf98 with SMTP id
 x11-20020a056e021bcb00b00360968dbf98mr15777440ilv.1.1705483070294;
        Wed, 17 Jan 2024 01:17:50 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1705483070; cv=none;
        d=google.com; s=arc-20160816;
        b=T2p+Hun9FLCpZc5kleR4IBt0SC66R+AGr7EGYps8QxI83jk+Xb5OQ/yRqTLYRmAagW
         kb0I44EnjWFiareHlREvc8Sd4CtfFEnBVRmLDdJvMsTNOIhUoxXtProZiCEV3YXOC4ld
         qir1KSljRGng02qsB4xohG+wqU9+NyhryrFEpwW4ZMuBGlsY+GH7AvgvnqicngwPeiy7
         6dy5oxu/jmiT7i+bwsyFvf25CTxnRpvw3MpitbCQkC/acZJv2vIWXQcWRWZ7dIsYokh7
         qiIbdGSCBlmC2fZJB/PeeYmMkMBrQF9ACF91AD5a/fqI0gP60hrf7N9MF6/WNmTe7cxT
         x9sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:references:in-reply-to:message-id:date:to:from
         :dkim-signature:dkim-signature;
        bh=t3s1S7Oe0AzeID0GIZhSxNZi60/kFcwJZqT6tH3UrYs=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=kFbBtuzM2wlUYcVRnj4vKfDfFDnBX9EEBWzAbQzeOH2psrbAWXfymn9eVjLOSh6PoQ
         NZTda9Z+op+J5LpHJCliKm/KkTkJ6e0/lUsEkN+StAAmx8k5BSkxR1ACMgPO0GCO8bee
         jJ37JGF9it2ZmiDcFb6a9tBiyQ73eE8ty5WfNYml47w1ykqt4ijtYBVyyPNvb28NCWb2
         D6/1ev5kD2yanyx5hoXPtwZfvEerJ2vXteCt2aQ49TVsZMCQSPb/ftoWZ1f5z+COLTxR
         bbkODqG+GXwaQcKAja6ab1BQLUjDLiD5Fn6nrSDjoAyrkQZyM+vprZdG9N2XaE05/jdE
         tOHg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SLMGBSrp;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=X0GUcEIF;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 e2-20020a635002000000b005c289c5cb5esi12880432pgb.762.2024.01.17.01.17.50
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 17 Jan 2024 01:17:50 -0800 (PST)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=SLMGBSrp;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=X0GUcEIF;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1rQ234-0001Bx-FG;
	Wed, 17 Jan 2024 09:17:27 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gert@blue.greenie.muc.de>) id 1rQ232-0001Bh-CD
 for openvpn-devel@lists.sourceforge.net;
 Wed, 17 Jan 2024 09:17:24 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=fKb+VMThrKU/dwaS7Q9OKDsAZJ8/LXtfZfhf5kcxSG0=; b=SLMGBSrpd4lkI2D15G1a2E+LBU
 p+9t3JqTu41uKOpHgxhpjrvYgZl4FL5Nk7O5G0m6zfqtcp9ByUIv2XRm1ZNL0SV7v3xZn27LEuM+J
 U3sWuh1CYg1sTWxnQMxjA46aiEDFgGN2tP9cOm3KUHvL1+M1s2wLlKDLyNPdwzYYp8q0=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=fKb+VMThrKU/dwaS7Q9OKDsAZJ8/LXtfZfhf5kcxSG0=; b=X0GUcEIFtufxgrZbUSDy2QLdGo
 yarrecfOAL97X+GD1jIDmBHkSZs0W9uzj2fsdg9Cxii4c4dbQ4QVXfdcTP0fz2vjOArULzFHVsEqj
 w+aO++qLHLUckEKHy6uAJyyRZebbz0K+nzhYqRcSzsjDidSAOMlPR4O8koK2EvHz9MDc=;
Received: from dhcp-174.greenie.muc.de ([193.149.48.174]
 helo=blue.greenie.muc.de)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95)
 id 1rQ231-0004hG-0l for openvpn-devel@lists.sourceforge.net;
 Wed, 17 Jan 2024 09:17:24 +0000
Received: from blue.greenie.muc.de (localhost [127.0.0.1])
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 40H9HCKV005376
 for <openvpn-devel@lists.sourceforge.net>; Wed, 17 Jan 2024 10:17:12 +0100
Received: (from gert@localhost)
 by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 40H9HBEC005375
 for openvpn-devel@lists.sourceforge.net; Wed, 17 Jan 2024 10:17:11 +0100
From: Gert Doering <gert@greenie.muc.de>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 17 Jan 2024 10:17:11 +0100
Message-ID: <20240117091711.5366-1-gert@greenie.muc.de>
X-Mailer: git-send-email 2.43.0
In-Reply-To: 
 <gerrit.1704898621000.Icea931d29e3e504e23e045539b21013b42172664@gerrit.openvpn.net>
References: 
 <gerrit.1704898621000.Icea931d29e3e504e23e045539b21013b42172664@gerrit.openvpn.net>
MIME-Version: 1.0
X-Spam-Score: -0.0 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Frank Lichtenheld <frank@lichtenheld.com> Especially
 ntlmv2_response can be very big, so make sure we not do exceed the size of
 the phase3 buffer. Change-Id: Icea931d29e3e504e23e045539b21013b42172664
 Signed-off-by:
 Frank Lichtenheld <frank@lichtenheld.com> Acked-by: Gert Doering
 <gert@greenie.muc.de> ---
 Content analysis details:   (-0.0 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
X-Headers-End: 1rQ231-0004hG-0l
Subject: [Openvpn-devel] [PATCH v1] NTLM: add length check to
 add_security_buffer
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1788328615765542624?=
X-GMAIL-MSGID: =?utf-8?q?1788328615765542624?=

From: Frank Lichtenheld <frank@lichtenheld.com>

Especially ntlmv2_response can be very big, so make sure
we not do exceed the size of the phase3 buffer.

Change-Id: Icea931d29e3e504e23e045539b21013b42172664
Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.6.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/493
This mail reflects revision 1 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c
index 2e77214..2b735ec 100644
--- a/src/openvpn/ntlm.c
+++ b/src/openvpn/ntlm.c
@@ -167,8 +167,13 @@
 
 static void
 add_security_buffer(int sb_offset, void *data, int length,
-                    unsigned char *msg_buf, int *msg_bufpos)
+                    unsigned char *msg_buf, int *msg_bufpos, size_t msg_bufsize)
 {
+    if (*msg_bufpos + length > msg_bufsize)
+    {
+        msg(M_WARN, "NTLM: security buffer too big for message buffer");
+        return;
+    }
     /* Adds security buffer data to a message and sets security buffer's
      * offset and length */
     msg_buf[sb_offset] = (unsigned char)length;
@@ -396,20 +401,20 @@
     if (ntlmv2_enabled)      /* NTLMv2 response */
     {
         add_security_buffer(0x14, ntlmv2_response, ntlmv2_blob_size + 16,
-                            phase3, &phase3_bufpos);
+                            phase3, &phase3_bufpos, sizeof(phase3));
     }
     else       /* NTLM response */
     {
-        add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos);
+        add_security_buffer(0x14, ntlm_response, 24, phase3, &phase3_bufpos, sizeof(phase3));
     }
 
     /* username in ascii */
     add_security_buffer(0x24, username, strlen(username), phase3,
-                        &phase3_bufpos);
+                        &phase3_bufpos, sizeof(phase3));
 
     /* Set domain. If <domain> is empty, default domain will be used
      * (i.e. proxy's domain) */
-    add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos);
+    add_security_buffer(0x1c, domain, strlen(domain), phase3, &phase3_bufpos, sizeof(phase3));
 
     /* other security buffers will be empty */
     phase3[0x10] = phase3_bufpos;     /* lm not used */