[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 109/116: ntlm: avoid integer overflow for malloc si
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnurl] 109/116: ntlm: avoid integer overflow for malloc size |
|
Date: |
Tue, 05 Dec 2017 14:52:19 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 7f2a1df6f5fc598750b2c6f34465c8d924db28cc
Author: Daniel Stenberg <address@hidden>
AuthorDate: Mon Nov 6 23:51:52 2017 +0100
ntlm: avoid integer overflow for malloc size
Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond
CVE-2017-8816
Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
---
lib/curl_ntlm_core.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 1309bf0d9..43a290574 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -646,6 +646,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned
int keylen,
return CURLE_OK;
}
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
* (uppercase UserName + Domain) as the data
*/
@@ -655,10 +661,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user,
size_t userlen,
unsigned char *ntlmv2hash)
{
/* Unicode representation */
- size_t identity_len = (userlen + domlen) * 2;
- unsigned char *identity = malloc(identity_len);
+ size_t identity_len;
+ unsigned char *identity;
CURLcode result = CURLE_OK;
+ /* we do the length checks below separately to avoid integer overflow risk
+ on extreme data lengths */
+ if((userlen > SIZE_T_MAX/2) ||
+ (domlen > SIZE_T_MAX/2) ||
+ ((userlen + domlen) > SIZE_T_MAX/2))
+ return CURLE_OUT_OF_MEMORY;
+
+ identity_len = (userlen + domlen) * 2;
+ identity = malloc(identity_len);
+
if(!identity)
return CURLE_OUT_OF_MEMORY;
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 94/116: Curl_open: fix OOM return error correctly, (continued)
- [GNUnet-SVN] [gnurl] 94/116: Curl_open: fix OOM return error correctly, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 113/116: openssl: fix boringssl build again, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 110/116: global_init: ignore CURL_GLOBAL_SSL's absense, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 114/116: THANKS: added contributors from 7.57.0 release, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 88/116: ntlm: remove unnecessary NULL-check to please scan-build, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 112/116: curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 107/116: url: fix alignment of ssl_backend_data struct, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 116/116: Merge tag 'curl-7_57_0', gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 111/116: libcurl-share.3: the connection cache is shareable now, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 102/116: metalink: fix memory-leak and NULL pointer dereference, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 109/116: ntlm: avoid integer overflow for malloc size,
gnunet <=
- [GNUnet-SVN] [gnurl] 115/116: RELEASE-NOTES: curl 7.57.0, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 104/116: test: add tests to ensure basic file: URLs, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 100/116: make: fix "make distclean", gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 90/116: mime: fix "Value stored to 'sz' is never read" scan-build error, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 74/116: setopt: split out curl_easy_setopt() to its own file, gnunet, 2017/12/05