After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 788037 - heap-buffer-overflow in soup_ntlm_parse_challenge()
heap-buffer-overflow in soup_ntlm_parse_challenge()
Status: RESOLVED FIXED
Product: libsoup
Classification: Core
Component: Misc
2.58.x
Other Linux
: Normal critical
: ---
Assigned To: libsoup-maint@gnome.bugs
libsoup-maint@gnome.bugs
Depends on:
Blocks:
 
 
Reported: 2017-09-22 08:16 UTC by Milan Crha
Modified: 2017-11-14 08:51 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
proposed patch (573 bytes, patch)
2017-09-22 08:19 UTC, Milan Crha 		committed Details | Review

Description Milan Crha 2017-09-22 08:16:59 UTC 
I get this when trying to connect to an Exchange server with NTLM, while the server advertises only Basic authentication. That's when doing an initial POST to
https://outlook.office365.com/EWS/Exchange.asmx

From the less I could get from gdb:

(gdb) f 8
 8  0x00007fffeaef7d94 in soup_auth_ntlm_update_connection (auth=0x60e0014936f0 [SoupAuthNTLM], msg=0x6140002a3570 [ESoapMessage], auth_header=0x602002d58830 "NTLM", state=0x603002dac1b0) at soup-auth-ntlm.c:335
335		if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
(gdb) l
330		}
331	
332		if (conn->state == SOUP_NTLM_NEW && !auth_header[4])
333			return TRUE;
334	
335		if (!soup_ntlm_parse_challenge (auth_header + 5, &conn->nonce,
336						priv->domain ? NULL : &priv->domain,
337						&conn->ntlmv2_session)) {
338			conn->state = SOUP_NTLM_FAILED;
339			return FALSE;
(gdb) p auth_header[3]
$1 = 77 'M'
(gdb) p auth_header[4]
$2 = 0 '\000'
(gdb) p conn->state
$3 = SOUP_NTLM_SENT_REQUEST

Backtrace follows:

+ Trace 238001

  • #0 raise
  • #1 abort
  • #2 0x00007ffff6f1d43e in
  • #3 0x00007ffff6f25238 in
  • #4 0x00007ffff6f06225 in
  • #5 0x00007ffff6e6e38d in
  • #6 g_base64_decode
    at gbase64.c line 418
  • #7 soup_ntlm_parse_challenge
    at soup-auth-ntlm.c line 691
  • #8 soup_auth_ntlm_update_connection
    at soup-auth-ntlm.c line 335
  • #9 soup_connection_auth_update
    at soup-connection-auth.c line 131
  • #10 soup_auth_update
    at soup-auth.c line 309
  • #11 check_auth
    at soup-auth-manager.c line 395
  • #12 auth_got_headers
    at soup-auth-manager.c line 610
  • #13 status_handler_metamarshal
    at soup-message.c line 1257
  • #14 g_closure_invoke
    at gclosure.c line 804
  • #15 signal_emit_unlocked_R
    at gsignal.c line 3635
  • #16 g_signal_emit_valist
    at gsignal.c line 3391
  • #17 <emit signal ??? on instance 0x6140002a3570 [ESoapMessage]>
    at gsignal.c line 3447
  • #18 soup_message_got_headers
    at soup-message.c line 1128
  • #19 io_read
    at soup-message-io.c line 706
  • #20 io_run_until
    at soup-message-io.c line 982
  • #21 io_run
    at soup-message-io.c line 1053
  • #22 io_run_ready
    at soup-message-io.c line 1032
  • #23 message_source_dispatch
    at soup-message-io.c line 844
  • #24 g_main_dispatch
    at gmain.c line 3234
  • #25 g_main_context_dispatch
    at gmain.c line 3899
  • #26 g_main_context_iterate
    at gmain.c line 3972
  • #27 g_main_loop_run
    at gmain.c line 4168
  • #28 e_ews_soup_thread
    at /data/develop/test-any/evolutionews/src/server/e-ews-connection.c line 1853
  • #29 g_thread_proxy
    at gthread.c line 784
  • #30 start_thread
  • #31 clone 






Comment 1


Milan Crha





          2017-09-22 08:19:37 UTC
        



Created attachment 360243 [details] [review]
proposed patch

Just check buffer bounds before accessing its offset. It fixes it for me and the login to the server seems quicker/smoother too (though just subjectively measured).






Comment 2


Dan Winship





          2017-09-27 15:35:20 UTC
        



Comment on attachment 360243 [details] [review]
proposed patch

OK. Could also merge with the previous check and maybe that would be cleaner.(start with "if (!auth_header[4]) {" and then have state==NEW and else cases inside; you don't actually need to check "!auth_header[5]" because soup_ntlm_parse_challenge() will correctly return FALSE in that case)






Comment 3


Milan Crha





          2017-09-27 15:39:49 UTC
        



I've been thinking of both cases, when the server returns
   "NTLM"
, but also
   "NTLM "
Just in case of some weird error on the server side (do you remember Yahoo! servers returning "\0" in message headers when they begun to "advertise" OAuth2 authentication method?).

I do not have commitable checkout, neither I'm sure which branches to use. Would you mind to commit for me, please?






Comment 4


Milan Crha





          2017-11-14 08:51:13 UTC
        



Created commit 812f7388 in libsoup master (2.60.3+)
Created commit b7968983 in libsoup gnome-3-26 (2.60.3+)
Created commit 699f83d2 in libsoup gnome-3-24 (2.58.3+)
Created commit 1a05e68a in libsoup gnome-3-22 (2.56.2+)