ntlm: avoid integer overflow for malloc size

Reported-by: Alex Nichols Assisted-by: Kamil Dudka and Max Dymond CVE-2017-8816 Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
2017-11-06 23:51:52 +01:00 · 2017-11-06 23:51:52 +01:00 · 7f2a1df6f5
parent 0b664ba968
commit 7f2a1df6f5
1 changed files with 18 additions and 2 deletions
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@ -646,6 +646,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
  return CURLE_OK;
 }

+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+
 /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
 * (uppercase UserName + Domain) as the data
 */
@ -655,10 +661,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
                                       unsigned char *ntlmv2hash)
 {
  /* Unicode representation */
-  size_t identity_len = (userlen + domlen) * 2;
-  unsigned char *identity = malloc(identity_len);
+  size_t identity_len;
+  unsigned char *identity;
  CURLcode result = CURLE_OK;

+  /* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
+  if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
  if(!identity)
    return CURLE_OUT_OF_MEMORY;