Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fixed oob read in ntlm_read_NegotiateMessage
  • Loading branch information
akallabeth committed May 6, 2020
1 parent b230ac9 commit 8fa3835
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions winpr/libwinpr/sspi/NTLM/ntlm_message.c
Expand Up @@ -219,6 +219,11 @@ SECURITY_STATUS ntlm_read_NegotiateMessage(NTLM_CONTEXT* context, PSecBuffer buf
return SEC_E_INVALID_TOKEN;
}

if (Stream_GetRemainingLength(s) < 4)
{
Stream_Free(s, FALSE);
return SEC_E_INVALID_TOKEN;
}
Stream_Read_UINT32(s, message->NegotiateFlags); /* NegotiateFlags (4 bytes) */

if (!((message->NegotiateFlags & NTLMSSP_REQUEST_TARGET) &&
Expand Down

0 comments on commit 8fa3835

Please sign in to comment.