add some basic ntlm challenge validation (#2)

* add some basic ntlm challenge validation

* add some unit tests

ntlm/message_challenge.go

@@ -54,6 +54,10 @@ type ChallengeMessage struct {
 }
 
 func ParseChallengeMessage(body []byte) (*ChallengeMessage, error) {
+	if len(body) < 32 {
+		return nil, errors.New("invalid NTLM challenge")
+	}
+
 	challenge := new(ChallengeMessage)
 
 	challenge.Signature = body[0:8]
@@ -79,6 +83,10 @@ func ParseChallengeMessage(body []byte) (*ChallengeMessage, error) {
 	offset := 32
 
 	if NTLMSSP_NEGOTIATE_TARGET_INFO.IsSet(challenge.NegotiateFlags) {
+		if len(body) < 48 {
+			return nil, errors.New("invalid NTLMSSP_NEGOTIATE_TARGET_INFO")
+		}
+
 		challenge.Reserved = body[32:40]
 
 		challenge.TargetInfoPayloadStruct, err = ReadBytePayload(40, body)

ntlm/message_challenge_test.go

@@ -13,7 +13,6 @@ import (
 func TestDecodeChallenge(t *testing.T) {
 	challengeMessage := "TlRMTVNTUAACAAAAAAAAADgAAADzgpjiuaopAbx9ejQAAAAAAAAAAKIAogA4AAAABQLODgAAAA8CAA4AUgBFAFUAVABFAFIAUwABABwAVQBLAEIAUAAtAEMAQgBUAFIATQBGAEUAMAA2AAQAFgBSAGUAdQB0AGUAcgBzAC4AbgBlAHQAAwA0AHUAawBiAHAALQBjAGIAdAByAG0AZgBlADAANgAuAFIAZQB1AHQAZQByAHMALgBuAGUAdAAFABYAUgBlAHUAdABlAHIAcwAuAG4AZQB0AAAAAAA="
 	challengeData, err := base64.StdEncoding.DecodeString(challengeMessage)
-
 	if err != nil {
 		t.Error("Could not base64 decode message data")
 	}
@@ -63,3 +62,24 @@ func TestDecodeChallenge(t *testing.T) {
 		t.Error("Invalid challenge messsage bytes")
 	}
 }
+
+func TestParseChallengeEmptyMessage(t *testing.T) {
+	_, err := ParseChallengeMessage(nil)
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+}
+
+func TestParseChallengeInvalidNegotiateTargetInfo(t *testing.T) {
+	challengeMessage := "TlRMTVNTUAACAAAAAAAAADgAAADzgpjiuaopAbx9ejQA"
+
+	challengeData, err := base64.StdEncoding.DecodeString(challengeMessage)
+	if err != nil {
+		t.Error("Could not base64 decode message data")
+	}
+
+	_, err = ParseChallengeMessage(challengeData)
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+}