moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2025-03-03 02:41:59 -05:00
Code Issues Releases Wiki Activity

ntlm: precaution against super huge type2 offsets

Browse Source 
... which otherwise caused an integer overflow and circumvented the if()
conditional size check.

Detected by OSS-Fuzz
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33720
Assisted-by: Max Dymond
Closes #6975
This commit is contained in:
Daniel Stenberg 2021-04-27 11:12:23 +02:00
parent 826c438c61
commit 3e820fbf25
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/vauth/ntlm.c
View File

@ -178,7 +178,8 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data,
target_info_len = Curl_read16_le(&type2[40]); target_info_len = Curl_read16_le(&type2[40]);
target_info_offset = Curl_read32_le(&type2[44]); target_info_offset = Curl_read32_le(&type2[44]);
if(target_info_len > 0) { if(target_info_len > 0) {
if((target_info_offset + target_info_len) > type2len || if((target_info_offset > type2len) ||
(target_info_offset + target_info_len) > type2len ||
target_info_offset < 48) { target_info_offset < 48) {
infof(data, "NTLM handshake failure (bad type-2 message). " infof(data, "NTLM handshake failure (bad type-2 message). "
"Target Info Offset Len is set incorrect by the peer\n"); "Target Info Offset Len is set incorrect by the peer\n");