From 8c3b954f146e995727227b5816e137c6ed7e3862 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Mar 2018 15:15:14 +0100 Subject: vauth/cleartext: fix integer overflow check Make the integer overflow check not rely on the undefined behavior that a size_t wraps around on overflow. Detected by lgtm.com --- lib/curl_ntlm_core.c | 11 +---------- lib/curl_setup.h | 9 +++++++++ lib/vauth/cleartext.c | 14 ++++---------- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index e8962769c..72eda34ad 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -646,15 +646,6 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, return CURLE_OK; } -#ifndef SIZE_T_MAX -/* some limits.h headers have this defined, some don't */ -#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) -#define SIZE_T_MAX 18446744073709551615U -#else -#define SIZE_T_MAX 4294967295U -#endif -#endif - /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode * (uppercase UserName + Domain) as the data */ diff --git a/lib/curl_setup.h b/lib/curl_setup.h index f128696e9..e4503c64c 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -447,6 +447,15 @@ # endif #endif +#ifndef SIZE_T_MAX +/* some limits.h headers have this defined, some don't */ +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +#define SIZE_T_MAX 18446744073709551615U +#else +#define SIZE_T_MAX 4294967295U +#endif +#endif + /* * Arg 2 type for gethostname in case it hasn't been defined in config file. */ diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index a761ae784..5d61ce6dc 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, ulen = strlen(userp); plen = strlen(passwdp); - /* Compute binary message length, checking for overflows. */ - plainlen = 2 * ulen; - if(plainlen < ulen) - return CURLE_OUT_OF_MEMORY; - plainlen += plen; - if(plainlen < plen) - return CURLE_OUT_OF_MEMORY; - plainlen += 2; - if(plainlen < 2) + /* Compute binary message length. Check for overflows. */ + if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; + plainlen = 2 * ulen + plen + 2; plainauth = malloc(plainlen); if(!plainauth) -- cgit v1.2.1