Fix length check of nt_responsefix32bit

An array passed as a function argument is just a cosmetic ay to pass just a pointer. Therefore sizeof(array) will only return the pointer length, not the array length, and on 32 bit pointers are 4 bytes long. Fix payload calculation by passing in the known correct length instead of using fancy sizeofs ...
author: Simo Sorce <simo@redhat.com> 2015-03-19 20:22:49 -0400
committer: Simo Sorce <simo@redhat.com> 2015-03-19 20:22:49 -0400
commit: 64d1db926674fcc0ebda6e2d06238a19ea695206 (patch)
tree: 8b64c3e50eb870d835bcb5a349d220b315682d55
parent: 8c664f7e8523e8fb8136c1912d9f86b901558155 (diff)
download: gss-ntlmssp-64d1db926674fcc0ebda6e2d06238a19ea695206.tar.gz
gss-ntlmssp-64d1db926674fcc0ebda6e2d06238a19ea695206.tar.xz
gss-ntlmssp-64d1db926674fcc0ebda6e2d06238a19ea695206.zip
1 files changed, 1 insertions, 3 deletions
diff --git a/src/ntlm_crypto.c b/src/ntlm_crypto.c
index c07f6cd..13e886e 100644
--- a/src/ntlm_crypto.c
+++ b/src/ntlm_crypto.c
@@ -646,9 +646,7 @@ int ntlmv2_verify_nt_response(struct ntlm_buffer *nt_response,
 
     nt_resp = (union wire_ntlm_response *)nt_response->data;
 
-    payload.length = nt_response->length
-                        - sizeof(nt_resp->v2.resp)
-                        + sizeof(server_chal);
+    payload.length = nt_response->length - sizeof(nt_resp->v2.resp) + 8;
     payload.data = malloc(payload.length);
     if (!payload.data) return ENOMEM;
     memcpy(payload.data, server_chal, 8);
author	Simo Sorce <simo@redhat.com>	2015-03-19 20:22:49 -0400
committer	Simo Sorce <simo@redhat.com>	2015-03-19 20:22:49 -0400
commit	64d1db926674fcc0ebda6e2d06238a19ea695206 (patch)
tree	8b64c3e50eb870d835bcb5a349d220b315682d55
parent	8c664f7e8523e8fb8136c1912d9f86b901558155 (diff)
download	gss-ntlmssp-64d1db926674fcc0ebda6e2d06238a19ea695206.tar.gz gss-ntlmssp-64d1db926674fcc0ebda6e2d06238a19ea695206.tar.xz gss-ntlmssp-64d1db926674fcc0ebda6e2d06238a19ea695206.zip