diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2017-11-06 23:51:52 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2017-11-27 08:19:34 +0100 |
| commit | 7f2a1df6f5fc598750b2c6f34465c8d924db28cc (patch) | |
| tree | 4d56c434e60383ba81d16fbc90c1085393143ffb /lib | |
| parent | 0b664ba968437715819bfe4c7ada5679d16ebbc3 (diff) | |
ntlm: avoid integer overflow for malloc size
Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond
CVE-2017-8816
Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/curl_ntlm_core.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 1309bf0d9..43a290574 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -646,6 +646,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, return CURLE_OK; } +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +#define SIZE_T_MAX 18446744073709551615U +#else +#define SIZE_T_MAX 4294967295U +#endif + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode * (uppercase UserName + Domain) as the data */ @@ -655,10 +661,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, unsigned char *ntlmv2hash) { /* Unicode representation */ - size_t identity_len = (userlen + domlen) * 2; - unsigned char *identity = malloc(identity_len); + size_t identity_len; + unsigned char *identity; CURLcode result = CURLE_OK; + /* we do the length checks below separately to avoid integer overflow risk + on extreme data lengths */ + if((userlen > SIZE_T_MAX/2) || + (domlen > SIZE_T_MAX/2) || + ((userlen + domlen) > SIZE_T_MAX/2)) + return CURLE_OUT_OF_MEMORY; + + identity_len = (userlen + domlen) * 2; + identity = malloc(identity_len); + if(!identity) return CURLE_OUT_OF_MEMORY; |