| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
- From: Daniel Stenberg <daniel@haxx.se>
- Date: Mon, 6 Nov 2017 23:51:52 +0100
- Subject: [PATCH] ntlm: avoid integer overflow for malloc size
- Reported-by: Alex Nichols
- Assisted-by: Kamil Dudka and Max Dymond
- CVE-2017-8816
- Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
- ---
- lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
- 1 file changed, 21 insertions(+), 2 deletions(-)
- --- a/lib/curl_ntlm_core.c
- +++ b/lib/curl_ntlm_core.c
- @@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch
- return CURLE_OK;
- }
-
- +#ifndef SIZE_T_MAX
- +/* some limits.h headers have this defined, some don't */
- +#if defined(_LP64) || defined(_I32LPx)
- +#define SIZE_T_MAX 18446744073709551615U
- +#else
- +#define SIZE_T_MAX 4294967295U
- +#endif
- +#endif
- +
- /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
- * (uppercase UserName + Domain) as the data
- */
- @@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
- unsigned char *ntlmv2hash)
- {
- /* Unicode representation */
- - size_t identity_len = (userlen + domlen) * 2;
- - unsigned char *identity = malloc(identity_len);
- + size_t identity_len;
- + unsigned char *identity;
- CURLcode result = CURLE_OK;
-
- + /* we do the length checks below separately to avoid integer overflow risk
- + on extreme data lengths */
- + if((userlen > SIZE_T_MAX/2) ||
- + (domlen > SIZE_T_MAX/2) ||
- + ((userlen + domlen) > SIZE_T_MAX/2))
- + return CURLE_OUT_OF_MEMORY;
- +
- + identity_len = (userlen + domlen) * 2;
- + identity = malloc(identity_len);
- +
- if(!identity)
- return CURLE_OUT_OF_MEMORY;
-
|
