moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00
Code Issues Releases Wiki Activity

ntlm: avoid malloc(0) for zero length passwords

Browse Source 
It triggers an assert() when built with memdebug since malloc(0) may
return NULL *or* a valid pointer.

Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054

Assisted-by: Max Dymond
Closes #2054
This commit is contained in:
Daniel Stenberg 2017-11-04 16:42:21 +01:00
parent d2146c598a
commit 685ef13057
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/curl_ntlm_core.c
View File

@ -557,7 +557,7 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
unsigned char *ntbuffer /* 21 bytes */) unsigned char *ntbuffer /* 21 bytes */)
{ {
size_t len = strlen(password); size_t len = strlen(password);
unsigned char *pw = malloc(len * 2); unsigned char *pw = len ? malloc(len * 2) : strdup("");
CURLcode result; CURLcode result;
if(!pw) if(!pw)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;