ntlm: precaution against super huge type2 offsets

... which otherwise caused an integer overflow and circumvented the if() conditional size check. Detected by OSS-Fuzz Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720 Assisted-by: Max Dymond Closes #6975
author: Daniel Stenberg <daniel@haxx.se> 2021-04-27 11:12:23 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-04-27 16:02:02 +0200
commit: 3e820fbf25f38743fd30e0ce96ba9ae34791aa7c (patch)
tree: fba7222a3035ea33f6076dce52a69d530ca937d5 /lib/vauth
parent: 826c438c61ddf8ab4e0b16a584f7fa526bc417f9 (diff)
download: curl-3e820fbf25f38743fd30e0ce96ba9ae34791aa7c.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index 7f5e0b174..47e53572c 100644
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -178,7 +178,8 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
     target_info_len = Curl_read16_le(&type2[40]);
     target_info_offset = Curl_read32_le(&type2[44]);
     if(target_info_len > 0) {
-      if((target_info_offset + target_info_len) > type2len ||
+      if((target_info_offset > type2len) ||
+         (target_info_offset + target_info_len) > type2len ||
          target_info_offset < 48) {
         infof(data, "NTLM handshake failure (bad type-2 message). "
               "Target Info Offset Len is set incorrect by the peer\n");
author	Daniel Stenberg <daniel@haxx.se>	2021-04-27 11:12:23 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-04-27 16:02:02 +0200
commit	3e820fbf25f38743fd30e0ce96ba9ae34791aa7c (patch)
tree	fba7222a3035ea33f6076dce52a69d530ca937d5 /lib/vauth
parent	826c438c61ddf8ab4e0b16a584f7fa526bc417f9 (diff)
download	curl-3e820fbf25f38743fd30e0ce96ba9ae34791aa7c.tar.gz