diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2020-11-28 22:29:59 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2020-11-28 22:29:59 +0100 |
| commit | f469c355a1cf7dc7bc670f2e14f3c24b444d95c4 (patch) | |
| tree | 7b8a646efd13a9225c623b02fc0cc5b23d3d9529 | |
| parent | 227daceabe7a8acd411cb8220d1b67d0d920bfc6 (diff) | |
| download | curl-bagder/ntlm-zerolen-user.tar.gz | |
ntlm: avoid malloc(0) on zero length user and domainbagder/ntlm-zerolen-user
... and simplify the too-long checks somewhat.
Detected by OSS-Fuzz
| -rw-r--r-- | lib/curl_ntlm_core.c | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index 9245c1d10..9a075ac90 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -580,15 +580,11 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, unsigned char *identity; CURLcode result = CURLE_OK; - /* we do the length checks below separately to avoid integer overflow risk - on extreme data lengths */ - if((userlen > SIZE_T_MAX/2) || - (domlen > SIZE_T_MAX/2) || - ((userlen + domlen) > SIZE_T_MAX/2)) + if((userlen > CURL_MAX_INPUT_LENGTH) || (domlen > CURL_MAX_INPUT_LENGTH)) return CURLE_OUT_OF_MEMORY; identity_len = (userlen + domlen) * 2; - identity = malloc(identity_len); + identity = malloc(identity_len + 1); if(!identity) return CURLE_OUT_OF_MEMORY; |