From 945f60e8a7f08aedb0eede5e3574f1972fc86ec8 Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Thu, 24 Nov 2016 14:28:39 +0100 Subject: Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows. See CRL-01-006. --- lib/vauth/cleartext.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'lib/vauth') diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index 6df419a64..a761ae784 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -66,16 +66,27 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, char *plainauth; size_t ulen; size_t plen; + size_t plainlen; + *outlen = 0; + *outptr = NULL; ulen = strlen(userp); plen = strlen(passwdp); - plainauth = malloc(2 * ulen + plen + 2); - if(!plainauth) { - *outlen = 0; - *outptr = NULL; + /* Compute binary message length, checking for overflows. */ + plainlen = 2 * ulen; + if(plainlen < ulen) + return CURLE_OUT_OF_MEMORY; + plainlen += plen; + if(plainlen < plen) + return CURLE_OUT_OF_MEMORY; + plainlen += 2; + if(plainlen < 2) + return CURLE_OUT_OF_MEMORY; + + plainauth = malloc(plainlen); + if(!plainauth) return CURLE_OUT_OF_MEMORY; - } /* Calculate the reply */ memcpy(plainauth, userp, ulen); @@ -85,8 +96,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, memcpy(plainauth + 2 * ulen + 2, passwdp, plen); /* Base64 encode the reply */ - result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr, - outlen); + result = Curl_base64_encode(data, plainauth, plainlen, outptr, outlen); free(plainauth); return result; -- cgit v1.2.3