diff --git a/CHANGES b/CHANGES index 3f68e041d..bdac7b113 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,11 @@ Changelog +Daniel (8 December 2004) +- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where + libcurl always and unconditionally overwrote a stack-based array with 3 zero + bytes. This is not an exploitable buffer overflow. No need to get alarmed. + Daniel (7 December 2004) - Fixed so that the final error message is sent to the verbose info "stream" even if no errorbuffer is set. diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 79d741d01..503514aa0 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -25,6 +25,7 @@ This release includes the following changes: This release includes the following bugfixes: + o bad memory access in the NTLM code o EPSV on multi-homed servers now works correctly o chunked-encoded transfers could get closed pre-maturely without error o proxy CONNECT now default timeouts after 3600 seconds @@ -61,6 +62,6 @@ advice from friends like these: Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia, Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips, Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum, - Richard Atterer + Richard Atterer, Rene Bernhardt Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/http_ntlm.c b/lib/http_ntlm.c index dc31e837a..7de00ada1 100644 --- a/lib/http_ntlm.c +++ b/lib/http_ntlm.c @@ -202,6 +202,8 @@ static void mkhash(char *password, #endif ) { + /* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input, + and we add three different ones, see the calc_resp() function */ unsigned char lmbuffer[21]; #ifdef USE_NTRESPONSES unsigned char ntbuffer[21]; @@ -239,7 +241,7 @@ static void mkhash(char *password, DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8), DESKEY(ks), DES_ENCRYPT); - memset(lmbuffer+16, 0, 5); + memset(lmbuffer+16, 0, sizeof(lmbuffer)-16); } /* create LM responses */ calc_resp(lmbuffer, nonce, lmresp); @@ -260,7 +262,7 @@ static void mkhash(char *password, MD4_Update(&MD4, pw, 2*len); MD4_Final(ntbuffer, &MD4); - memset(ntbuffer+16, 0, 8); + memset(ntbuffer+16, 0, sizeof(ntbuffer)-16); } calc_resp(ntbuffer, nonce, ntresp);