ntlm: improved error path on bad incoming NTLM TYPE3 message

No leaks

Reported-by: Tim Becker
Closes #19198
This commit is contained in:
Daniel Stenberg 2025-10-22 07:54:33 +02:00
parent 6032b8f2a2
commit d922db880c
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2

View file

@ -788,7 +788,8 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
/* ntresplen + size should not be risking an integer overflow here */
if(ntresplen + size > sizeof(ntlmbuf)) {
failf(data, "incoming NTLM message too big");
return CURLE_OUT_OF_MEMORY;
result = CURLE_TOO_LARGE;
goto error;
}
DEBUGASSERT(size == (size_t)ntrespoff);
memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
@ -799,8 +800,6 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen);
});
free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
DEBUG_OUT({
curl_mfprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ",
LONGQUARTET(ntlm->flags), ntlm->flags);
@ -811,8 +810,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
/* Make sure that the domain, user and host strings fit in the
buffer before we copy them there. */
if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) {
failf(data, "user + domain + hostname too big");
return CURLE_OUT_OF_MEMORY;
failf(data, "user + domain + hostname too big for NTLM");
result = CURLE_TOO_LARGE;
goto error;
}
DEBUGASSERT(size == domoff);
@ -842,6 +842,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
/* Return the binary blob. */
result = Curl_bufref_memdup(out, ntlmbuf, size);
error:
free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */
Curl_auth_cleanup_ntlm(ntlm);
return result;