Skip to content

W
wine-winehq
Commit 3012038e authored by Rob Shearman's avatar Rob Shearman Committed by Alexandre Julliard
Browse files
Options

secur32: NTLM - don't copy more data from User, Domain and Password

pointers in the SEC_WINNT_AUTH_IDENTITY structure than the corresponding Length fields say the pointers hold.
parent 7f16f21c
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 11 deletions
dlls/secur32/ntlm.c
View file @ 3012038e
...@@ -172,11 +172,15 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW( ...@@ -172,11 +172,15 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
/* Get username and domain from pAuthData */ /* Get username and domain from pAuthData */
username = HeapAlloc(GetProcessHeap(), 0, username = HeapAlloc(GetProcessHeap(), 0,
(auth_data->UserLength + 1) * sizeof(SEC_WCHAR)); (auth_data->UserLength + 1) * sizeof(SEC_WCHAR));
lstrcpyW(username, auth_data->User); memcpy(username, auth_data->User,
auth_data->UserLength * sizeof(SEC_WCHAR));
username[auth_data->UserLength] = '\0';
domain = HeapAlloc(GetProcessHeap(), 0, domain = HeapAlloc(GetProcessHeap(), 0,
(auth_data->DomainLength + 1) * sizeof(SEC_WCHAR)); (auth_data->DomainLength + 1) * sizeof(SEC_WCHAR));
lstrcpyW(domain, auth_data->Domain); memcpy(domain, auth_data->Domain,
auth_data->DomainLength * sizeof(SEC_WCHAR));
domain[auth_data->DomainLength] = '\0';
} }
TRACE("Username is %s\n", debugstr_w(username)); TRACE("Username is %s\n", debugstr_w(username));
unixcp_size = WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS, unixcp_size = WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS,
...@@ -222,15 +226,16 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW( ...@@ -222,15 +226,16 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW(
{ {
helper->pwlen = WideCharToMultiByte(CP_UNIXCP, helper->pwlen = WideCharToMultiByte(CP_UNIXCP,
WC_NO_BEST_FIT_CHARS, auth_data->Password, WC_NO_BEST_FIT_CHARS, auth_data->Password,
auth_data->PasswordLength+1, NULL, 0, NULL, auth_data->PasswordLength, NULL, 0, NULL,
NULL) + 1; NULL) + 1;
helper->password = HeapAlloc(GetProcessHeap(), 0, helper->password = HeapAlloc(GetProcessHeap(), 0,
helper->pwlen); helper->pwlen);
WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS, WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS,
auth_data->Password, auth_data->PasswordLength+1, auth_data->Password, auth_data->PasswordLength,
helper->password, helper->pwlen, NULL, NULL); helper->password, helper->pwlen, NULL, NULL);
helper->password[helper->pwlen - 1] = '\0';
} }
} }
...@@ -304,11 +309,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA( ...@@ -304,11 +309,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA(
if(identity->UserLength != 0) if(identity->UserLength != 0)
{ {
user_sizeW = MultiByteToWideChar(CP_ACP, 0, user_sizeW = MultiByteToWideChar(CP_ACP, 0,
(LPCSTR)identity->User, identity->UserLength+1, NULL, 0); (LPCSTR)identity->User, identity->UserLength, NULL, 0);
user = HeapAlloc(GetProcessHeap(), 0, user_sizeW * user = HeapAlloc(GetProcessHeap(), 0, user_sizeW *
sizeof(SEC_WCHAR)); sizeof(SEC_WCHAR));
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)identity->User, MultiByteToWideChar(CP_ACP, 0, (LPCSTR)identity->User,
identity->UserLength+1, user, user_sizeW); identity->UserLength, user, user_sizeW);
} }
else else
{ {
...@@ -318,11 +323,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA( ...@@ -318,11 +323,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA(
if(identity->DomainLength != 0) if(identity->DomainLength != 0)
{ {
domain_sizeW = MultiByteToWideChar(CP_ACP, 0, domain_sizeW = MultiByteToWideChar(CP_ACP, 0,
(LPCSTR)identity->Domain, identity->DomainLength+1, NULL, 0); (LPCSTR)identity->Domain, identity->DomainLength, NULL, 0);
domain = HeapAlloc(GetProcessHeap(), 0, domain_sizeW domain = HeapAlloc(GetProcessHeap(), 0, domain_sizeW
* sizeof(SEC_WCHAR)); * sizeof(SEC_WCHAR));
MultiByteToWideChar(CP_ACP, 0, (LPCSTR)identity->Domain, MultiByteToWideChar(CP_ACP, 0, (LPCSTR)identity->Domain,
identity->DomainLength+1, domain, domain_sizeW); identity->DomainLength, domain, domain_sizeW);
} }
else else
{ {
...@@ -502,11 +507,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( ...@@ -502,11 +507,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
{ {
lstrcpynA(buffer, "PW ", max_len-1); lstrcpynA(buffer, "PW ", max_len-1);
if((ret = encodeBase64((unsigned char*)helper->password, if((ret = encodeBase64((unsigned char*)helper->password,
helper->pwlen-2, buffer+3, helper->pwlen-1, buffer+3,
max_len-3, &buffer_len)) != SEC_E_OK) max_len-3, &buffer_len)) != SEC_E_OK)
{ {
TRACE("Deleting password!\n"); TRACE("Deleting password!\n");
memset(helper->password, 0, helper->pwlen-2); memset(helper->password, 0, helper->pwlen-1);
HeapFree(GetProcessHeap(), 0, helper->password); HeapFree(GetProcessHeap(), 0, helper->password);
goto isc_end; goto isc_end;
} }
...@@ -734,7 +739,7 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( ...@@ -734,7 +739,7 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW(
{ {
TRACE("Deleting password!\n"); TRACE("Deleting password!\n");
if(helper->password) if(helper->password)
memset(helper->password, 0, helper->pwlen-2); memset(helper->password, 0, helper->pwlen-1);
HeapFree(GetProcessHeap(), 0, helper->password); HeapFree(GetProcessHeap(), 0, helper->password);
} }
isc_end: isc_end:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment