Check length of response before accessing it

The NTLM protocol implementation does not validate the length of the proxy server’s response. If the response is shorter than expected, the code will access the response buffer out of bounds, which will raise an exception. This change checks and explicitly raises an exception with an informative message if the response is too short. This was never a security issue as such but might result in a client terminating early and without a nice diagnostic. Signed-off-by: Charlie Vigue <[email protected]>
OpenVPN · Jan 8, 2024 · 6bc9c0b · 6bc9c0b
1 parent 8ad83b5
commit 6bc9c0b
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/openvpn/proxy/ntlm.hpp b/openvpn/proxy/ntlm.hpp
@@ -70,7 +70,7 @@ class NTLM
             throw Exception("password is blank");
 
         if (phase_2_response.size() < 32)
-            throw Exception("phase2 response from server too short (" + std::to_string(phase_2_response.size()) + ")");
+            throw Exception("phase2 base64 response from server too short (" + std::to_string(phase_2_response.size()) + ")");
 
         // split domain\username
         std::string domain;
@@ -89,6 +89,9 @@ class NTLM
         BufferAllocated response(phase_2_response.size(), 0);
         base64->decode(response, phase_2_response);
 
+        if (response.size() < 32)
+            throw Exception("phase2 decoded response from server too short (" + std::to_string(response.size()) + ")");
+
         // extract the challenge from bytes 24-31 in the response
         unsigned char challenge[8];
         for (size_t i = 0; i < 8; ++i)