From cc06e145f206ad1f29469b31df8ea26311b40606 Mon Sep 17 00:00:00 2001
From: Juan Jose Nicola <juan.nicola@greenbone.net>
Date: Thu, 25 Jun 2026 12:57:02 -0300
Subject: [PATCH 1/3] Fix: useragent in nasl_http2.c

Reported as an use-after-free issue, but the problem was that I was using the wrong variable. Now uses the right one ua
---
 nasl/nasl_http2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nasl/nasl_http2.c b/nasl/nasl_http2.c
index ba8dac1ae8..e24dee5ba5 100644
--- a/nasl/nasl_http2.c
+++ b/nasl/nasl_http2.c
@@ -347,7 +347,7 @@ _http2_req (lex_ctxt *lexic, KEYWORD keyword)
     }
   if (ua)
     {
-      curl_easy_setopt (handle, CURLOPT_USERAGENT, g_strdup (url->str));
+      curl_easy_setopt (handle, CURLOPT_USERAGENT, g_strdup (ua));
       g_free (ua);
     }
 

From 792560ba8e3606754c7a4347e33d0f9e2596c7e8 Mon Sep 17 00:00:00 2001
From: Juan Jose Nicola <juan.nicola@greenbone.net>
Date: Thu, 25 Jun 2026 13:34:08 -0300
Subject: [PATCH 2/3] Fix: avoid stack overflow when password length is greater
 than 21

---
 nasl/nasl_crypto.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/nasl/nasl_crypto.c b/nasl/nasl_crypto.c
index 2758e104f7..607618a546 100644
--- a/nasl/nasl_crypto.c
+++ b/nasl/nasl_crypto.c
@@ -675,6 +675,8 @@ nasl_ntlmv1_hash (lex_ctxt *lexic)
 
   if (pass_len < 16)
     pass_len = 16;
+  if (pass_len > 21)
+    pass_len = 21;
 
   bzero (p21, sizeof (p21));
   memcpy (p21, password, pass_len);

From 3178b564d6c37e9b1fd1857f0bfdf5a214d3ecc5 Mon Sep 17 00:00:00 2001
From: Juan Jose Nicola <juan.nicola@greenbone.net>
Date: Thu, 25 Jun 2026 14:16:02 -0300
Subject: [PATCH 3/3] Fix: check buffer lenght before memcpy

---
 nasl/nasl_crypto.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/nasl/nasl_crypto.c b/nasl/nasl_crypto.c
index 607618a546..dfc0ea4870 100644
--- a/nasl/nasl_crypto.c
+++ b/nasl/nasl_crypto.c
@@ -257,6 +257,12 @@ nasl_get_sign (lex_ctxt *lexic)
   uint8_t calc_md5_mac[16];
   simple_packet_signature_ntlmssp ((uint8_t *) mac_key, buf, seq_num,
                                    calc_md5_mac);
+  if (buflen != get_var_size_by_name (lexic, "buf") || buflen < 26)
+    {
+      nasl_perror (lexic, "OOB read/write\n");
+      return NULL;
+    }
+
   memcpy (buf + 18, calc_md5_mac, 8);
   char *ret = g_malloc0 (buflen);
   memcpy (ret, buf, buflen);