From 8e762199b094cd77fcd636fee2c503a5b00d0d2e Mon Sep 17 00:00:00 2001 From: Major_Tom <9447735+MajorTomSec@users.noreply.github.com> Date: Wed, 13 May 2020 21:41:27 +0200 Subject: vauth/cleartext: fix theoretical integer overflow Fix theoretical integer overflow in Curl_auth_create_plain_message. The security impact of the overflow was discussed on hackerone. We agreed this is more of a theoretical vulnerability, as the integer overflow would only be triggerable on systems using 32-bits size_t with over 4GB of available memory space for the process. Closes #5391 --- lib/vauth/cleartext.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/vauth') diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index 6f452c169..001f6ea9a 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -81,7 +81,8 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, plen = strlen(passwd); /* Compute binary message length. Check for overflows. */ - if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) + if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) || + (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; plainlen = zlen + clen + plen + 2; -- cgit v1.2.3