Thanks for the notification iDEFENCE. We are the "initial vendor" and…

… we sure got no notification, no mail, no nothing. You didn't even bother to mail us when you went public with this. Cool. NTLM buffer overflow fix, as reported here: http://www.securityfocus.com/archive/1/391042
curl · Feb 22, 2005 · 19f66c7 · 19f66c7
1 parent b7721de
commit 19f66c7
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c
@@ -103,7 +103,6 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
     header++;
 
   if(checkprefix("NTLM", header)) {
-    unsigned char buffer[256];
     header += strlen("NTLM");
 
     while(*header && isspace((int)*header))
@@ -123,8 +122,12 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
          (40)    Target Information  (optional) security buffer(*)
          32 (48) start of data block
       */
+      size_t size;
+      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
+      if (buffer == NULL)
+        return CURLNTLM_BAD;
 
-      size_t size = Curl_base64_decode(header, (char *)buffer);
+      size = Curl_base64_decode(header, (char *)buffer);
 
       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
 
@@ -134,6 +137,7 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn,
 
       /* at index decimal 20, there's a 32bit NTLM flag field */
 
+      free(buffer);
     }
     else {
       if(ntlm->state >= NTLMSTATE_TYPE1)