summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-11-06 23:51:52 +0100
committerDaniel Stenberg <daniel@haxx.se>2017-11-27 08:19:34 +0100
commit7f2a1df6f5fc598750b2c6f34465c8d924db28cc (patch)
tree4d56c434e60383ba81d16fbc90c1085393143ffb /lib
parent0b664ba968437715819bfe4c7ada5679d16ebbc3 (diff)
downloadcurl-7f2a1df6f5fc598750b2c6f34465c8d924db28cc.tar.gz
ntlm: avoid integer overflow for malloc size
Reported-by: Alex Nichols Assisted-by: Kamil Dudka and Max Dymond CVE-2017-8816 Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
Diffstat (limited to 'lib')
-rw-r--r--lib/curl_ntlm_core.c20
1 files changed, 18 insertions, 2 deletions
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 1309bf0d9..43a290574 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -646,6 +646,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
return CURLE_OK;
}
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
* (uppercase UserName + Domain) as the data
*/
@@ -655,10 +661,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
unsigned char *ntlmv2hash)
{
/* Unicode representation */
- size_t identity_len = (userlen + domlen) * 2;
- unsigned char *identity = malloc(identity_len);
+ size_t identity_len;
+ unsigned char *identity;
CURLcode result = CURLE_OK;
+ /* we do the length checks below separately to avoid integer overflow risk
+ on extreme data lengths */
+ if((userlen > SIZE_T_MAX/2) ||
+ (domlen > SIZE_T_MAX/2) ||
+ ((userlen + domlen) > SIZE_T_MAX/2))
+ return CURLE_OUT_OF_MEMORY;
+
+ identity_len = (userlen + domlen) * 2;
+ identity = malloc(identity_len);
+
if(!identity)
return CURLE_OUT_OF_MEMORY;