summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2020-11-28 22:29:59 +0100
committerDaniel Stenberg <daniel@haxx.se>2020-11-29 11:24:54 +0100
commit65d2f563fd908fcb53652339ade81b0869db1fd9 (patch)
treefda83610c07cfa0ffee8b34e8845b3af46bb7d92 /lib
parent732398561bcaaa952cf4dff14e18ff526666ff16 (diff)
downloadcurl-65d2f563fd908fcb53652339ade81b0869db1fd9.tar.gz
ntlm: avoid malloc(0) on zero length user and domain
... and simplify the too-long checks somewhat. Detected by OSS-Fuzz Closes #6264
Diffstat (limited to 'lib')
-rw-r--r--lib/curl_ntlm_core.c8
1 files changed, 2 insertions, 6 deletions
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 9245c1d10..9a075ac90 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -580,15 +580,11 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
unsigned char *identity;
CURLcode result = CURLE_OK;
- /* we do the length checks below separately to avoid integer overflow risk
- on extreme data lengths */
- if((userlen > SIZE_T_MAX/2) ||
- (domlen > SIZE_T_MAX/2) ||
- ((userlen + domlen) > SIZE_T_MAX/2))
+ if((userlen > CURL_MAX_INPUT_LENGTH) || (domlen > CURL_MAX_INPUT_LENGTH))
return CURLE_OUT_OF_MEMORY;
identity_len = (userlen + domlen) * 2;
- identity = malloc(identity_len);
+ identity = malloc(identity_len + 1);
if(!identity)
return CURLE_OUT_OF_MEMORY;