moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where 

libcurl always and unconditionally overwrote a stack-based array with 3 zero
bytes. I edited the fix to make it less likely to occur again (and added
a comment explaining the reason to the buffer size).
This commit is contained in:
Daniel Stenberg 2004-12-07 23:09:41 +00:00
parent 163518778c
commit 80a324386b
3 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@ -6,6 +6,11 @@
Changelog Changelog
Daniel (8 December 2004)
- Rene Bernhardt found and fixed a buffer overrun in the NTLM code, where
libcurl always and unconditionally overwrote a stack-based array with 3 zero
bytes. This is not an exploitable buffer overflow. No need to get alarmed.
Daniel (7 December 2004) Daniel (7 December 2004)
- Fixed so that the final error message is sent to the verbose info "stream" - Fixed so that the final error message is sent to the verbose info "stream"
even if no errorbuffer is set. even if no errorbuffer is set.

3
RELEASE-NOTES
View File

@ -25,6 +25,7 @@ This release includes the following changes:
This release includes the following bugfixes: This release includes the following bugfixes:
o bad memory access in the NTLM code
o EPSV on multi-homed servers now works correctly o EPSV on multi-homed servers now works correctly
o chunked-encoded transfers could get closed pre-maturely without error o chunked-encoded transfers could get closed pre-maturely without error
o proxy CONNECT now default timeouts after 3600 seconds o proxy CONNECT now default timeouts after 3600 seconds
@ -61,6 +62,6 @@ advice from friends like these:
Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia, Tomas Pospisek, Gisle Vanem, Dan Fandrich, Paul Nolan, Andres Garcia,
Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips, Tim Sneddon, Ian Gulliver, Jean-Philippe Barrette-LaPierre, Jeff Phillips,
Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum, Wojciech Zwiefka, David Phillips, Reinout van Schouwen, Maurice Barnum,
Richard Atterer Richard Atterer, Rene Bernhardt
Thanks! (and sorry if I forgot to mention someone) Thanks! (and sorry if I forgot to mention someone)

6
lib/http_ntlm.c
View File

@ -202,6 +202,8 @@ static void mkhash(char *password,
#endif #endif
) )
{ {
/* 21 bytes fits 3 7-bytes chunks, as we use 56 bit (7 bytes) as DES input,
and we add three different ones, see the calc_resp() function */
unsigned char lmbuffer[21]; unsigned char lmbuffer[21];
#ifdef USE_NTRESPONSES #ifdef USE_NTRESPONSES
unsigned char ntbuffer[21]; unsigned char ntbuffer[21];
@ -239,7 +241,7 @@ static void mkhash(char *password,
DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8), DES_ecb_encrypt((DES_cblock *)magic, (DES_cblock *)(lmbuffer+8),
DESKEY(ks), DES_ENCRYPT); DESKEY(ks), DES_ENCRYPT);
memset(lmbuffer+16, 0, 5); memset(lmbuffer+16, 0, sizeof(lmbuffer)-16);
} }
/* create LM responses */ /* create LM responses */
calc_resp(lmbuffer, nonce, lmresp); calc_resp(lmbuffer, nonce, lmresp);
@ -260,7 +262,7 @@ static void mkhash(char *password,
MD4_Update(&MD4, pw, 2*len); MD4_Update(&MD4, pw, 2*len);
MD4_Final(ntbuffer, &MD4); MD4_Final(ntbuffer, &MD4);
memset(ntbuffer+16, 0, 8); memset(ntbuffer+16, 0, sizeof(ntbuffer)-16);
} }
calc_resp(ntbuffer, nonce, ntresp); calc_resp(ntbuffer, nonce, ntresp);