aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorMajor_Tom <9447735+MajorTomSec@users.noreply.github.com>2020-05-13 21:41:27 +0200
committerDaniel Stenberg <daniel@haxx.se>2020-05-14 08:36:35 +0200
commit8e762199b094cd77fcd636fee2c503a5b00d0d2e (patch)
tree0d6b0efca1db4ce335ef389bd66cb4689212b03e /lib
parentf9983a6f9eb5314ad1a788d06929f6763ada6204 (diff)
vauth/cleartext: fix theoretical integer overflow
Fix theoretical integer overflow in Curl_auth_create_plain_message. The security impact of the overflow was discussed on hackerone. We agreed this is more of a theoretical vulnerability, as the integer overflow would only be triggerable on systems using 32-bits size_t with over 4GB of available memory space for the process. Closes #5391
Diffstat (limited to 'lib')
-rw-r--r--lib/vauth/cleartext.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
index 6f452c169..001f6ea9a 100644
--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
@@ -81,7 +81,8 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
- if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+ if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) ||
+ (plen > (SIZE_T_MAX/2 - 2)))
return CURLE_OUT_OF_MEMORY;
plainlen = zlen + clen + plen + 2;