aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--CHANGES5
-rw-r--r--RELEASE-NOTES3
-rw-r--r--lib/http_ntlm.c6
3 files changed, 11 insertions, 3 deletions
diff --git a/CHANGES b/CHANGES
index 3f68e041d..bdac7b113 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,11 @@
Changelog
+Daniel (8 December 2004)
+- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
+ libcurl always and unconditionally overwrote a stack-based array with 3 zero
+ bytes. This is not an exploitable buffer overflow. No need to get alarmed.
+
Daniel (7 December 2004)
- Fixed so that the final error message is sent to the verbose info "stream"
even if no errorbuffer is set.
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 79d741d01..503514aa0 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -25,6 +25,7 @@ This release includes the following changes:
This release includes the following bugfixes:
+ o bad memory access in the NTLM code
o EPSV on multi-homed servers now works correctly
o chunked-encoded transfers could get closed pre-maturely without error
o proxy CONNECT now default timeouts after 3600 seconds
@@ -61,6 +62,6 @@ advice from friends like these:
Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia,
Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips,
Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum,
- Richard Atterer
+ Richard Atterer, Rene Bernhardt
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c
index dc31e837a..7de00ada1 100644
--- a/lib/http_ntlm.c
+++ b/lib/http_ntlm.c
@@ -202,6 +202,8 @@ static void mkhash(char *password,
#endif
)
{
+ /* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input,
+ and we add three different ones, see the calc_resp() function */
unsigned char lmbuffer[21];
#ifdef USE_NTRESPONSES
unsigned char ntbuffer[21];
@@ -239,7 +241,7 @@ static void mkhash(char *password,
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),
DESKEY(ks), DES_ENCRYPT);
- memset(lmbuffer+16, 0, 5);
+ memset(lmbuffer+16, 0, sizeof(lmbuffer)-16);
}
/* create LM responses */
calc_resp(lmbuffer, nonce, lmresp);
@@ -260,7 +262,7 @@ static void mkhash(char *password,
MD4_Update(&MD4, pw, 2*len);
MD4_Final(ntbuffer, &MD4);
- memset(ntbuffer+16, 0, 8);
+ memset(ntbuffer+16, 0, sizeof(ntbuffer)-16);
}
calc_resp(ntbuffer, nonce, ntresp);