Bug #39925 for NTLM: Access null strings in decode

Thu Oct 09 12:37:28 2008 RFRANKEL [...] cpan.org - Ticket created

Subject:

Access null strings in decode_challenge

using apache2 mod_ntlm2, the challenge string is sometimes < 48 characters, so the decode_challenge function tries to access values off the end of the string. Here's patch which solves the warnings in the least intrusive manner: --- /usr/local/perl/5.8.5/lib/site_perl/5.8.5/Authen/NTLM.pm 2008-06-18 06:56:08.000000000 -0400 +++ /export/home/ut0598/tmp/Authen/NTLM.pm 2008-10-09 12:33:51.194737000 -0400 @@ -360,7 +360,9 @@ my (@res, @hdr); my $original = $challenge; - $res->{buffer} = substr($challenge, $msg2_hlen); + $res->{buffer} = $msg2_hlen < length $challenge + ? substr($challenge, $msg2_hlen) : ''; + $challenge = substr($challenge, 0, $msg2_hlen); @res = unpack($msg2, $challenge); $res->{ident} = $res[0]; @@ -373,7 +375,7 @@ $res->{data} = $res[4]; $res->{reserved} = $res[5]; $res->{empty_hdr} = $res[6]; - @hdr = unpack($str_hdr, $res[6]); + @hdr = length($res[6]) ? unpack($str_hdr, $res[6]) : (0,0,0); $res->{target}{len} = $hdr[0]; $res->{target}{maxlen} = $hdr[1]; $res->{target}{offset} = $hdr[2];

Wed Apr 06 22:53:43 2011 NBEBOUT [...] cpan.org - Correspondence added

Will be fixed in 1.07 which just got uploaded On Thu Oct 09 12:37:28 2008, RFRANKEL wrote: Show quoted text

> using apache2 mod_ntlm2, the challenge string is sometimes < 48 > characters, so the decode_challenge function tries to access values off > the end of the string. Here's patch which solves the warnings in the > least intrusive manner: > > --- /usr/local/perl/5.8.5/lib/site_perl/5.8.5/Authen/NTLM.pm > 2008-06-18 06:56:08.000000000 -0400 > +++ /export/home/ut0598/tmp/Authen/NTLM.pm 2008-10-09 > 12:33:51.194737000 -0400 > @@ -360,7 +360,9 @@ > my (@res, @hdr); > my $original = $challenge; > > - $res->{buffer} = substr($challenge, $msg2_hlen); > + $res->{buffer} = $msg2_hlen < length $challenge > + ? substr($challenge, $msg2_hlen) : ''; > + > $challenge = substr($challenge, 0, $msg2_hlen); > @res = unpack($msg2, $challenge); > $res->{ident} = $res[0]; > @@ -373,7 +375,7 @@ > $res->{data} = $res[4]; > $res->{reserved} = $res[5]; > $res->{empty_hdr} = $res[6]; > - @hdr = unpack($str_hdr, $res[6]); > + @hdr = length($res[6]) ? unpack($str_hdr, $res[6]) : (0,0,0); > $res->{target}{len} = $hdr[0]; > $res->{target}{maxlen} = $hdr[1]; > $res->{target}{offset} = $hdr[2];

Wed Apr 06 22:53:43 2011 The RT System itself - Status changed from 'new' to 'open'

Wed Apr 06 22:53:44 2011 NBEBOUT [...] cpan.org - Status changed from 'open' to 'resolved'

Wed Apr 06 22:53:56 2011 NBEBOUT [...] cpan.org - Fixed in 1.06 added

Bug #39925 for NTLM: Access null strings in decode_challenge