summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2018-09-08 23:03:53 +0200
committerDaniel Stenberg <daniel@haxx.se>2018-09-09 10:44:02 +0200
commit37da149670ebf0535793e13be9f46166c8303978 (patch)
treeec82bda62125c6e5fa7099edb48da378206c4f4b
parent6e4b8c5073c3985cef98656c3b375981d25a8898 (diff)
downloadcurl-37da149670ebf0535793e13be9f46166c8303978.tar.gz
ntlm_wb: bail out if the response gets overly large
Exit the realloc() loop if the response turns out ridiculously large to avoid worse problems. Reported-by: Harry Sintonen Closes #2959
-rw-r--r--lib/curl_ntlm_wb.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c
index 353a65645..baf579ef7 100644
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -249,6 +249,9 @@ done:
return CURLE_REMOTE_ACCESS_DENIED;
}
+/* if larger than this, something is seriously wrong */
+#define MAX_NTLM_WB_RESPONSE 100000
+
static CURLcode ntlm_wb_response(struct connectdata *conn,
const char *input, curlntlm state)
{
@@ -289,6 +292,12 @@ static CURLcode ntlm_wb_response(struct connectdata *conn,
buf[len_out - 1] = '\0';
break;
}
+
+ if(len_out > MAX_NTLM_WB_RESPONSE) {
+ failf(conn->data, "too large ntlm_wb response!");
+ return CURLE_OUT_OF_MEMORY;
+ }
+
newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE);
if(!newbuf)
return CURLE_OUT_OF_MEMORY;