Fixed oob read in ntlm_read_ntlm_v2_response

diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
index c36dcaa..dbd7f7f 100644 (file)
--- a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
@@ -124,6 +124,9 @@ void ntlm_print_version_info(NTLM_VERSION_INFO* versionInfo)
 static int ntlm_read_ntlm_v2_client_challenge(wStream* s, NTLMv2_CLIENT_CHALLENGE* challenge)
 {
        size_t size;
+       if (Stream_GetRemainingLength(s) < 28)
+               return -1;
+
        Stream_Read_UINT8(s, challenge->RespType);
        Stream_Read_UINT8(s, challenge->HiRespType);
        Stream_Read_UINT16(s, challenge->Reserved1);
@@ -163,6 +166,8 @@ static int ntlm_write_ntlm_v2_client_challenge(wStream* s, NTLMv2_CLIENT_CHALLEN
 
 int ntlm_read_ntlm_v2_response(wStream* s, NTLMv2_RESPONSE* response)
 {
+       if (Stream_GetRemainingLength(s) < 16)
+               return -1;
        Stream_Read(s, response->Response, 16);
        return ntlm_read_ntlm_v2_client_challenge(s, &(response->Challenge));
 }