add some basic ntlm challenge validation (#2)

* add some basic ntlm challenge validation * add some unit tests
2021-05-03 21:48:19 -04:00 · 2021-05-03 21:48:19 -04:00 · ad847b4c56
commit ad847b4c56
parent ec337d51d2
2 changed files with 31 additions and 3 deletions
--- a/ntlm/message_challenge.go
+++ b/ntlm/message_challenge.go
@ -1,4 +1,4 @@
-//Copyright 2013 Thomson Reuters Global Resources. BSD License please see License file for more information
+// Copyright 2013 Thomson Reuters Global Resources. BSD License please see License file for more information

 package ntlm

@ -54,6 +54,10 @@ type ChallengeMessage struct {
 }

 func ParseChallengeMessage(body []byte) (*ChallengeMessage, error) {
+	if len(body) < 32 {
+		return nil, errors.New("invalid NTLM challenge")
+	}
+
 	challenge := new(ChallengeMessage)

 	challenge.Signature = body[0:8]
@ -79,6 +83,10 @@ func ParseChallengeMessage(body []byte) (*ChallengeMessage, error) {
 	offset := 32

 	if NTLMSSP_NEGOTIATE_TARGET_INFO.IsSet(challenge.NegotiateFlags) {
+		if len(body) < 48 {
+			return nil, errors.New("invalid NTLMSSP_NEGOTIATE_TARGET_INFO")
+		}
+
 		challenge.Reserved = body[32:40]

 		challenge.TargetInfoPayloadStruct, err = ReadBytePayload(40, body)
--- a/ntlm/message_challenge_test.go
+++ b/ntlm/message_challenge_test.go
@ -1,4 +1,4 @@
-//Copyright 2013 Thomson Reuters Global Resources. BSD License please see License file for more information
+// Copyright 2013 Thomson Reuters Global Resources. BSD License please see License file for more information

 package ntlm

@ -13,7 +13,6 @@ import (
 func TestDecodeChallenge(t *testing.T) {
 	challengeMessage := "TlRMTVNTUAACAAAAAAAAADgAAADzgpjiuaopAbx9ejQAAAAAAAAAAKIAogA4AAAABQLODgAAAA8CAA4AUgBFAFUAVABFAFIAUwABABwAVQBLAEIAUAAtAEMAQgBUAFIATQBGAEUAMAA2AAQAFgBSAGUAdQB0AGUAcgBzAC4AbgBlAHQAAwA0AHUAawBiAHAALQBjAGIAdAByAG0AZgBlADAANgAuAFIAZQB1AHQAZQByAHMALgBuAGUAdAAFABYAUgBlAHUAdABlAHIAcwAuAG4AZQB0AAAAAAA="
 	challengeData, err := base64.StdEncoding.DecodeString(challengeMessage)
-
 	if err != nil {
 		t.Error("Could not base64 decode message data")
 	}
@ -63,3 +62,24 @@ func TestDecodeChallenge(t *testing.T) {
 		t.Error("Invalid challenge messsage bytes")
 	}
 }
+
+func TestParseChallengeEmptyMessage(t *testing.T) {
+	_, err := ParseChallengeMessage(nil)
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+}
+
+func TestParseChallengeInvalidNegotiateTargetInfo(t *testing.T) {
+	challengeMessage := "TlRMTVNTUAACAAAAAAAAADgAAADzgpjiuaopAbx9ejQA"
+
+	challengeData, err := base64.StdEncoding.DecodeString(challengeMessage)
+	if err != nil {
+		t.Error("Could not base64 decode message data")
+	}
+
+	_, err = ParseChallengeMessage(challengeData)
+	if err == nil {
+		t.Error("expected error, got nil")
+	}
+}