From d922db880c5235eeba481c5be2484d68f610dfff Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 22 Oct 2025 07:54:33 +0200 Subject: [PATCH] ntlm: improved error path on bad incoming NTLM TYPE3 message No leaks Reported-by: Tim Becker Closes #19198 --- lib/vauth/ntlm.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c index 791fc87d11..d860fbbd50 100644 --- a/lib/vauth/ntlm.c +++ b/lib/vauth/ntlm.c @@ -788,7 +788,8 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, /* ntresplen + size should not be risking an integer overflow here */ if(ntresplen + size > sizeof(ntlmbuf)) { failf(data, "incoming NTLM message too big"); - return CURLE_OUT_OF_MEMORY; + result = CURLE_TOO_LARGE; + goto error; } DEBUGASSERT(size == (size_t)ntrespoff); memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen); @@ -799,8 +800,6 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, ntlm_print_hex(stderr, (char *)&ntlmbuf[ntrespoff], ntresplen); }); - free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */ - DEBUG_OUT({ curl_mfprintf(stderr, "\n flags=0x%02.2x%02.2x%02.2x%02.2x 0x%08.8x ", LONGQUARTET(ntlm->flags), ntlm->flags); @@ -811,8 +810,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, /* Make sure that the domain, user and host strings fit in the buffer before we copy them there. */ if(size + userlen + domlen + hostlen >= NTLM_BUFSIZE) { - failf(data, "user + domain + hostname too big"); - return CURLE_OUT_OF_MEMORY; + failf(data, "user + domain + hostname too big for NTLM"); + result = CURLE_TOO_LARGE; + goto error; } DEBUGASSERT(size == domoff); @@ -842,6 +842,9 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, /* Return the binary blob. */ result = Curl_bufref_memdup(out, ntlmbuf, size); +error: + free(ntlmv2resp);/* Free the dynamic buffer allocated for NTLMv2 */ + Curl_auth_cleanup_ntlm(ntlm); return result;