1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00

ntlm: avoid integer overflow for malloc size

Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond

CVE-2017-8816

Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
This commit is contained in:
Daniel Stenberg 2017-11-06 23:51:52 +01:00
parent 0b664ba968
commit 7f2a1df6f5
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -646,6 +646,12 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
return CURLE_OK; return CURLE_OK;
} }
#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
#define SIZE_T_MAX 18446744073709551615U
#else
#define SIZE_T_MAX 4294967295U
#endif
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
* (uppercase UserName + Domain) as the data * (uppercase UserName + Domain) as the data
*/ */
@ -655,10 +661,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
unsigned char *ntlmv2hash) unsigned char *ntlmv2hash)
{ {
/* Unicode representation */ /* Unicode representation */
size_t identity_len = (userlen + domlen) * 2; size_t identity_len;
unsigned char *identity = malloc(identity_len); unsigned char *identity;
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
/* we do the length checks below separately to avoid integer overflow risk
on extreme data lengths */
if((userlen > SIZE_T_MAX/2) ||
(domlen > SIZE_T_MAX/2) ||
((userlen + domlen) > SIZE_T_MAX/2))
return CURLE_OUT_OF_MEMORY;
identity_len = (userlen + domlen) * 2;
identity = malloc(identity_len);
if(!identity) if(!identity)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;