mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 07:38:49 -05:00
Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
libcurl always and unconditionally overwrote a stack-based array with 3 zero bytes. I edited the fix to make it less likely to occur again (and added a comment explaining the reason to the buffer size).
This commit is contained in:
parent
163518778c
commit
80a324386b
5
CHANGES
5
CHANGES
@ -6,6 +6,11 @@
|
||||
|
||||
Changelog
|
||||
|
||||
Daniel (8 December 2004)
|
||||
- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
|
||||
libcurl always and unconditionally overwrote a stack-based array with 3 zero
|
||||
bytes. This is not an exploitable buffer overflow. No need to get alarmed.
|
||||
|
||||
Daniel (7 December 2004)
|
||||
- Fixed so that the final error message is sent to the verbose info "stream"
|
||||
even if no errorbuffer is set.
|
||||
|
@ -25,6 +25,7 @@ This release includes the following changes:
|
||||
|
||||
This release includes the following bugfixes:
|
||||
|
||||
o bad memory access in the NTLM code
|
||||
o EPSV on multi-homed servers now works correctly
|
||||
o chunked-encoded transfers could get closed pre-maturely without error
|
||||
o proxy CONNECT now default timeouts after 3600 seconds
|
||||
@ -61,6 +62,6 @@ advice from friends like these:
|
||||
Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia,
|
||||
Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips,
|
||||
Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum,
|
||||
Richard Atterer
|
||||
Richard Atterer, Rene Bernhardt
|
||||
|
||||
Thanks! (and sorry if I forgot to mention someone)
|
||||
|
@ -202,6 +202,8 @@ static void mkhash(char *password,
|
||||
#endif
|
||||
)
|
||||
{
|
||||
/* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input,
|
||||
and we add three different ones, see the calc_resp() function */
|
||||
unsigned char lmbuffer[21];
|
||||
#ifdef USE_NTRESPONSES
|
||||
unsigned char ntbuffer[21];
|
||||
@ -239,7 +241,7 @@ static void mkhash(char *password,
|
||||
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),
|
||||
DESKEY(ks), DES_ENCRYPT);
|
||||
|
||||
memset(lmbuffer+16, 0, 5);
|
||||
memset(lmbuffer+16, 0, sizeof(lmbuffer)-16);
|
||||
}
|
||||
/* create LM responses */
|
||||
calc_resp(lmbuffer, nonce, lmresp);
|
||||
@ -260,7 +262,7 @@ static void mkhash(char *password,
|
||||
MD4_Update(&MD4, pw, 2*len);
|
||||
MD4_Final(ntbuffer, &MD4);
|
||||
|
||||
memset(ntbuffer+16, 0, 8);
|
||||
memset(ntbuffer+16, 0, sizeof(ntbuffer)-16);
|
||||
}
|
||||
|
||||
calc_resp(ntbuffer, nonce, ntresp);
|
||||
|
Loading…
Reference in New Issue
Block a user