Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where

libcurl always and unconditionally overwrote a stack-based array with 3 zero bytes. I edited the fix to make it less likely to occur again (and added a comment explaining the reason to the buffer size).
2004-12-07 23:09:41 +00:00 · 2004-12-07 23:09:41 +00:00 · 80a324386b
parent 163518778c
commit 80a324386b
3 changed files with 11 additions and 3 deletions
--- a/5
+++ b/5
@ -6,6 +6,11 @@

                                  Changelog

+Daniel (8 December 2004)
+- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
+  libcurl always and unconditionally overwrote a stack-based array with 3 zero
+  bytes. This is not an exploitable buffer overflow. No need to get alarmed.
+
 Daniel (7 December 2004)
 - Fixed so that the final error message is sent to the verbose info "stream"
  even if no errorbuffer is set.
--- a/3
+++ b/3
@ -25,6 +25,7 @@ This release includes the following changes:

 This release includes the following bugfixes:

+ o bad memory access in the NTLM code
 o EPSV on multi-homed servers now works correctly
 o chunked-encoded transfers could get closed pre-maturely without error
 o proxy CONNECT now default timeouts after 3600 seconds
@ -61,6 +62,6 @@ advice from friends like these:
 Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia,
 Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips,
 Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum,
- Richard Atterer
+ Richard Atterer, Rene Bernhardt

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/http_ntlm.c
+++ b/lib/http_ntlm.c
@ -202,6 +202,8 @@ static void mkhash(char *password,
 #endif
  )
 {
+  /* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input,
+     and we add three different ones, see the calc_resp() function */
  unsigned char lmbuffer[21];
 #ifdef USE_NTRESPONSES
  unsigned char ntbuffer[21];
@ -239,7 +241,7 @@ static void mkhash(char *password,
    DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),
                    DESKEY(ks), DES_ENCRYPT);

-    memset(lmbuffer+16, 0, 5);
+    memset(lmbuffer+16, 0, sizeof(lmbuffer)-16);
  }
  /* create LM responses */
  calc_resp(lmbuffer, nonce, lmresp);
@ -260,7 +262,7 @@ static void mkhash(char *password,
    MD4_Update(&MD4, pw, 2*len);
    MD4_Final(ntbuffer, &MD4);

-    memset(ntbuffer+16, 0, 8);
+    memset(ntbuffer+16, 0, sizeof(ntbuffer)-16);
  }

  calc_resp(ntbuffer, nonce, ntresp);