1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 00:58:48 -05:00

ntlm: avoid malloc(0) on zero length user and domain

... and simplify the too-long checks somewhat.

Detected by OSS-Fuzz

Closes #6264
This commit is contained in:
Daniel Stenberg 2020-11-28 22:29:59 +01:00
parent 732398561b
commit 65d2f563fd
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -580,15 +580,11 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
unsigned char *identity; unsigned char *identity;
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
/* we do the length checks below separately to avoid integer overflow risk if((userlen > CURL_MAX_INPUT_LENGTH) || (domlen > CURL_MAX_INPUT_LENGTH))
on extreme data lengths */
if((userlen > SIZE_T_MAX/2) ||
(domlen > SIZE_T_MAX/2) ||
((userlen + domlen) > SIZE_T_MAX/2))
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
identity_len = (userlen + domlen) * 2; identity_len = (userlen + domlen) * 2;
identity = malloc(identity_len); identity = malloc(identity_len + 1);
if(!identity) if(!identity)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;