ntlm: precation against super huge type2 offsetsbagder/ntlm-type2-overflow

... which otherwise caused an integer overflow and circumvented the if() conditional size check. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720 Assisted-by: Max Dymond
author: Daniel Stenberg <daniel@haxx.se> 2021-04-27 11:12:23 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-04-27 11:13:03 +0200
commit: 9d4f698523bc4fcbfe000d20876ad8c51702c4c8 (patch)
tree: 4dd3ff05e1f17e7ff33ef58d5adf1f4898b5e65c
parent: 2e23f3b8d54c6e4e568f019b2f66bfd9f9bac7a2 (diff)
download: curl-bagder/ntlm-type2-overflow.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index 7f5e0b174..47e53572c 100644
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -178,7 +178,8 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
     target_info_len = Curl_read16_le(&type2[40]);
     target_info_offset = Curl_read32_le(&type2[44]);
     if(target_info_len > 0) {
-      if((target_info_offset + target_info_len) > type2len ||
+      if((target_info_offset > type2len) ||
+         (target_info_offset + target_info_len) > type2len ||
          target_info_offset < 48) {
         infof(data, "NTLM handshake failure (bad type-2 message). "
               "Target Info Offset Len is set incorrect by the peer\n");
author	Daniel Stenberg <daniel@haxx.se>	2021-04-27 11:12:23 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-04-27 11:13:03 +0200
commit	9d4f698523bc4fcbfe000d20876ad8c51702c4c8 (patch)
tree	4dd3ff05e1f17e7ff33ef58d5adf1f4898b5e65c
parent	2e23f3b8d54c6e4e568f019b2f66bfd9f9bac7a2 (diff)
download	curl-bagder/ntlm-type2-overflow.tar.gz