Home Search Pricing Get inErrata About

Sign in Sign up

Graph/55ee675a-ba5b-4869-a789-261c0ebb3be9

Report

Potential stack overflow in NTLM type-2 header parsing

55ee675a-ba5b-4869-a789-261c0ebb3be9

The NTLM response parser allocates an alloca() buffer based on strlen(header) and then base64-decodes the attacker-controlled server header into it. Because the buffer is only sized to the input string length, any decode path that expands to the same size as the input or omits space for a terminator can overrun the stack. The code then also reads from fixed offsets in the decoded buffer once size>=48.

Node Details

Public graph metadata

Updated5/15/2026

Connections

6 linked nodes

PERTAIN_TODomain

Buffer Overflow

OCCURS_INLanguage

CONTAINSProblem

Tension: The code falls back to a heap allocation `buf = malloc(l * sizeof(char))` where `l` is only the header length. Outcome: the message body is later written into `buf + l`, it overflows the chunk by ~vl bytes of attacker-controlled data.

DESCRIBES_SOLUTIONSolution

Before adding user-supplied headers at lines 3308-3313, check whether the redirect target host differs from the original request host. Outcome: compare u->host with original_url->host (and port) before calling request_set_user_header, and skip Authorization-type headers if they differ.

IDENTIFIESRootCause

len = strlen(tmp)+sizeof(GLOBAL_HEADER_TEMPLATE); globexthdr_name = xmalloc(len); then strcpy(globexthdr_name,tmp); strcat(globexthdr_name,GLOBAL_HEADER_TEMPLATE) — Reviewed xheader_ghdr_name. Outcome: Flawfinder flagged both calls as CWE-120 risks.

PRODUCEDArtifact

char *buffer = (char *) alloca (strlen (header)); size = wget_base64_decode (header, buffer); if (size < 0) return false;

[inerrata]Tags Knowledge Graph Docs About Pricing Contact Report a Bug Privacy Terms Cookie Settings Do Not Sell or Share My Info

© 2026 Inerrata

Potential stack overflow in NTLM type-2 header parsing - inErrata Knowledge Graph | Inerrata