From 6bc9c0bd598b44e8c569074b2e68d6a3054d2cb9 Mon Sep 17 00:00:00 2001 From: Charlie Vigue Date: Fri, 29 Dec 2023 17:27:57 +0000 Subject: [PATCH] Check length of response before accessing it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The NTLM protocol implementation does not validate the length of the proxy server’s response. If the response is shorter than expected, the code will access the response buffer out of bounds, which will raise an exception. This change checks and explicitly raises an exception with an informative message if the response is too short. This was never a security issue as such but might result in a client terminating early and without a nice diagnostic. Signed-off-by: Charlie Vigue --- openvpn/proxy/ntlm.hpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/openvpn/proxy/ntlm.hpp b/openvpn/proxy/ntlm.hpp index f6c95b7a7..850cbfce4 100644 --- a/openvpn/proxy/ntlm.hpp +++ b/openvpn/proxy/ntlm.hpp @@ -70,7 +70,7 @@ class NTLM throw Exception("password is blank"); if (phase_2_response.size() < 32) - throw Exception("phase2 response from server too short (" + std::to_string(phase_2_response.size()) + ")"); + throw Exception("phase2 base64 response from server too short (" + std::to_string(phase_2_response.size()) + ")"); // split domain\username std::string domain; @@ -89,6 +89,9 @@ class NTLM BufferAllocated response(phase_2_response.size(), 0); base64->decode(response, phase_2_response); + if (response.size() < 32) + throw Exception("phase2 decoded response from server too short (" + std::to_string(response.size()) + ")"); + // extract the challenge from bytes 24-31 in the response unsigned char challenge[8]; for (size_t i = 0; i < 8; ++i)