1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 05:58:01 -05:00

ntlm_wb: bail out if the response gets overly large

Exit the realloc() loop if the response turns out ridiculously large to
avoid worse problems.

Reported-by: Harry Sintonen
Closes #2959
This commit is contained in:
Daniel Stenberg 2018-09-08 23:03:53 +02:00
parent 6e4b8c5073
commit 37da149670
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___ * | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____| * \___|\___/|_| \_\_____|
* *
* Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
* *
* This software is licensed as described in the file COPYING, which * This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms * you should have received as part of this distribution. The terms
@ -249,6 +249,9 @@ done:
return CURLE_REMOTE_ACCESS_DENIED; return CURLE_REMOTE_ACCESS_DENIED;
} }
/* if larger than this, something is seriously wrong */
#define MAX_NTLM_WB_RESPONSE 100000
static CURLcode ntlm_wb_response(struct connectdata *conn, static CURLcode ntlm_wb_response(struct connectdata *conn,
const char *input, curlntlm state) const char *input, curlntlm state)
{ {
@ -289,6 +292,12 @@ static CURLcode ntlm_wb_response(struct connectdata *conn,
buf[len_out - 1] = '\0'; buf[len_out - 1] = '\0';
break; break;
} }
if(len_out > MAX_NTLM_WB_RESPONSE) {
failf(conn->data, "too large ntlm_wb response!");
return CURLE_OUT_OF_MEMORY;
}
newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE); newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE);
if(!newbuf) if(!newbuf)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;