diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-09-08 23:03:53 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-09-09 10:44:02 +0200 |
commit | 37da149670ebf0535793e13be9f46166c8303978 (patch) | |
tree | ec82bda62125c6e5fa7099edb48da378206c4f4b /lib | |
parent | 6e4b8c5073c3985cef98656c3b375981d25a8898 (diff) |
ntlm_wb: bail out if the response gets overly large
Exit the realloc() loop if the response turns out ridiculously large to
avoid worse problems.
Reported-by: Harry Sintonen
Closes #2959
Diffstat (limited to 'lib')
-rw-r--r-- | lib/curl_ntlm_wb.c | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c index 353a65645..baf579ef7 100644 --- a/lib/curl_ntlm_wb.c +++ b/lib/curl_ntlm_wb.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -249,6 +249,9 @@ done: return CURLE_REMOTE_ACCESS_DENIED; } +/* if larger than this, something is seriously wrong */ +#define MAX_NTLM_WB_RESPONSE 100000 + static CURLcode ntlm_wb_response(struct connectdata *conn, const char *input, curlntlm state) { @@ -289,6 +292,12 @@ static CURLcode ntlm_wb_response(struct connectdata *conn, buf[len_out - 1] = '\0'; break; } + + if(len_out > MAX_NTLM_WB_RESPONSE) { + failf(conn->data, "too large ntlm_wb response!"); + return CURLE_OUT_OF_MEMORY; + } + newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE); if(!newbuf) return CURLE_OUT_OF_MEMORY; |