From: akallabeth <akallabeth@posteo.net>
Date: Wed, 15 Apr 2020 15:02:33 +0000 (+0200)
Subject: Fixed oob read in ntlm_read_ntlm_v2_response
X-Git-Tag: 2.1.0^2~39
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c098f21fdaadca57ff649eee1674f6cc321a2ec4;p=platform%2Fupstream%2Ffreerdp.git

Fixed oob read in ntlm_read_ntlm_v2_response
---

diff --git a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
index c36dcaa..dbd7f7f 100644
--- a/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
+++ b/winpr/libwinpr/sspi/NTLM/ntlm_compute.c
@@ -124,6 +124,9 @@ void ntlm_print_version_info(NTLM_VERSION_INFO* versionInfo)
 static int ntlm_read_ntlm_v2_client_challenge(wStream* s, NTLMv2_CLIENT_CHALLENGE* challenge)
 {
 	size_t size;
+	if (Stream_GetRemainingLength(s) < 28)
+		return -1;
+
 	Stream_Read_UINT8(s, challenge->RespType);
 	Stream_Read_UINT8(s, challenge->HiRespType);
 	Stream_Read_UINT16(s, challenge->Reserved1);
@@ -163,6 +166,8 @@ static int ntlm_write_ntlm_v2_client_challenge(wStream* s, NTLMv2_CLIENT_CHALLEN
 
 int ntlm_read_ntlm_v2_response(wStream* s, NTLMv2_RESPONSE* response)
 {
+	if (Stream_GetRemainingLength(s) < 16)
+		return -1;
 	Stream_Read(s, response->Response, 16);
 	return ntlm_read_ntlm_v2_client_challenge(s, &(response->Challenge));
 }