Module: wine Branch: master Commit: 3012038e73d2fdd6f9938fd68291a78b057f08cc URL: http://source.winehq.org/git/wine.git/?a=commit;h=3012038e73d2fdd6f9938fd682...
Author: Rob Shearman rob@codeweavers.com Date: Tue Mar 6 13:30:38 2007 +0000
secur32: NTLM - don't copy more data from User, Domain and Password pointers in the SEC_WINNT_AUTH_IDENTITY structure than the corresponding Length fields say the pointers hold.
---
dlls/secur32/ntlm.c | 27 ++++++++++++++++----------- 1 files changed, 16 insertions(+), 11 deletions(-)
diff --git a/dlls/secur32/ntlm.c b/dlls/secur32/ntlm.c index af5b3f0..4f21917 100644 --- a/dlls/secur32/ntlm.c +++ b/dlls/secur32/ntlm.c @@ -172,11 +172,15 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW( /* Get username and domain from pAuthData */ username = HeapAlloc(GetProcessHeap(), 0, (auth_data->UserLength + 1) * sizeof(SEC_WCHAR)); - lstrcpyW(username, auth_data->User); + memcpy(username, auth_data->User, + auth_data->UserLength * sizeof(SEC_WCHAR)); + username[auth_data->UserLength] = '\0';
domain = HeapAlloc(GetProcessHeap(), 0, (auth_data->DomainLength + 1) * sizeof(SEC_WCHAR)); - lstrcpyW(domain, auth_data->Domain); + memcpy(domain, auth_data->Domain, + auth_data->DomainLength * sizeof(SEC_WCHAR)); + domain[auth_data->DomainLength] = '\0'; } TRACE("Username is %s\n", debugstr_w(username)); unixcp_size = WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS, @@ -222,15 +226,16 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleW( { helper->pwlen = WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS, auth_data->Password, - auth_data->PasswordLength+1, NULL, 0, NULL, + auth_data->PasswordLength, NULL, 0, NULL, NULL) + 1;
helper->password = HeapAlloc(GetProcessHeap(), 0, helper->pwlen);
WideCharToMultiByte(CP_UNIXCP, WC_NO_BEST_FIT_CHARS, - auth_data->Password, auth_data->PasswordLength+1, + auth_data->Password, auth_data->PasswordLength, helper->password, helper->pwlen, NULL, NULL); + helper->password[helper->pwlen - 1] = '\0'; } }
@@ -304,11 +309,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA( if(identity->UserLength != 0) { user_sizeW = MultiByteToWideChar(CP_ACP, 0, - (LPCSTR)identity->User, identity->UserLength+1, NULL, 0); + (LPCSTR)identity->User, identity->UserLength, NULL, 0); user = HeapAlloc(GetProcessHeap(), 0, user_sizeW * sizeof(SEC_WCHAR)); MultiByteToWideChar(CP_ACP, 0, (LPCSTR)identity->User, - identity->UserLength+1, user, user_sizeW); + identity->UserLength, user, user_sizeW); } else { @@ -318,11 +323,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_AcquireCredentialsHandleA( if(identity->DomainLength != 0) { domain_sizeW = MultiByteToWideChar(CP_ACP, 0, - (LPCSTR)identity->Domain, identity->DomainLength+1, NULL, 0); + (LPCSTR)identity->Domain, identity->DomainLength, NULL, 0); domain = HeapAlloc(GetProcessHeap(), 0, domain_sizeW * sizeof(SEC_WCHAR)); MultiByteToWideChar(CP_ACP, 0, (LPCSTR)identity->Domain, - identity->DomainLength+1, domain, domain_sizeW); + identity->DomainLength, domain, domain_sizeW); } else { @@ -502,11 +507,11 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( { lstrcpynA(buffer, "PW ", max_len-1); if((ret = encodeBase64((unsigned char*)helper->password, - helper->pwlen-2, buffer+3, + helper->pwlen-1, buffer+3, max_len-3, &buffer_len)) != SEC_E_OK) { TRACE("Deleting password!\n"); - memset(helper->password, 0, helper->pwlen-2); + memset(helper->password, 0, helper->pwlen-1); HeapFree(GetProcessHeap(), 0, helper->password); goto isc_end; } @@ -734,7 +739,7 @@ static SECURITY_STATUS SEC_ENTRY ntlm_InitializeSecurityContextW( { TRACE("Deleting password!\n"); if(helper->password) - memset(helper->password, 0, helper->pwlen-2); + memset(helper->password, 0, helper->pwlen-1); HeapFree(GetProcessHeap(), 0, helper->password); } isc_end:
-
Alexandre Julliard