Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where

                                  Changelog

Daniel (8 December 2004)

- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where

  libcurl always and unconditionally overwrote a stack-based array with 3 zero

  bytes. This is not an exploitable buffer overflow. No need to get alarmed.

Daniel (7 December 2004)

- Fixed so that the final error message is sent to the verbose info "stream"

  even if no errorbuffer is set.

This release includes the following bugfixes:

 o bad memory access in the NTLM code

 o EPSV on multi-homed servers now works correctly

 o chunked-encoded transfers could get closed pre-maturely without error

 o proxy CONNECT now default timeouts after 3600 seconds

 Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia,

 Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips,

 Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum,

 Richard Atterer

 Richard Atterer, Rene Bernhardt

        Thanks! (and sorry if I forgot to mention someone)

#endif

  )

{

  /* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input,

     and we add three different ones, see the calc_resp() function */

  unsigned char lmbuffer[21];

#ifdef USE_NTRESPONSES

  unsigned char ntbuffer[21];

    DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),

                    DESKEY(ks), DES_ENCRYPT);

    memset(lmbuffer+16, 0, 5);

    memset(lmbuffer+16, 0, sizeof(lmbuffer)-16);

  }

  /* create LM responses */

  calc_resp(lmbuffer, nonce, lmresp);

    MD4_Update(&MD4, pw, 2*len);

    MD4_Final(ntbuffer, &MD4);

    memset(ntbuffer+16, 0, 8);

    memset(ntbuffer+16, 0, sizeof(ntbuffer)-16);

  }

  calc_resp(ntbuffer, nonce, ntresp);