Domovská stránka Prehľadávať Pomoc
Prihlásiť sa
iank
/
libreCMC
forknuté z libreCMC/libreCMC
1
0
Fork 0
Súbory
Strom: 34d043cd0d
Branche Tagy
libreCMC
/
package
/
network
/
utils
/
curl
/
patches
/
105-CVE-2017-8816.patch

105-CVE-2017-8816.patch 2.1 KB
História Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Daniel Stenberg <daniel@haxx.se>
    3. 

  3. Date: Mon, 6 Nov 2017 23:51:52 +0100
    4. 

  4. Subject: [PATCH] ntlm: avoid integer overflow for malloc size
    5. 

  5. 

  6. Reported-by: Alex Nichols
    7. 

  7. Assisted-by: Kamil Dudka and Max Dymond
    8. 

  8. 

  9. CVE-2017-8816
    10. 

  10. 

  11. Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
    12. 

  12. ---
    13. 

  13.  lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
    14. 

  14.  1 file changed, 21 insertions(+), 2 deletions(-)
    15. 

  15. 

  16. diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
    17. 

  17. index 1309bf0d9..e8962769c 100644
    18. 

  18. --- a/lib/curl_ntlm_core.c
    19. 

  19. +++ b/lib/curl_ntlm_core.c
    20. 

  20. @@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
    21. 

  21.    Curl_HMAC_final(ctxt, output);
    22. 

  22.  
    23. 

  23.    return CURLE_OK;
    24. 

  24.  }
    25. 

  25.  
    26. 

  26. +#ifndef SIZE_T_MAX
    27. 

  27. +/* some limits.h headers have this defined, some don't */
    28. 

  28. +#if defined(_LP64) || defined(_I32LPx)
    29. 

  29. +#define SIZE_T_MAX 18446744073709551615U
    30. 

  30. +#else
    31. 

  31. +#define SIZE_T_MAX 4294967295U
    32. 

  32. +#endif
    33. 

  33. +#endif
    34. 

  34. +
    35. 

  35.  /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
    36. 

  36.   * (uppercase UserName + Domain) as the data
    37. 

  37.   */
    38. 

  38.  CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
    39. 

  39.                                         const char *domain, size_t domlen,
    40. 

  40.                                         unsigned char *ntlmhash,
    41. 

  41.                                         unsigned char *ntlmv2hash)
    42. 

  42.  {
    43. 

  43.    /* Unicode representation */
    44. 

  44. -  size_t identity_len = (userlen + domlen) * 2;
    45. 

  45. -  unsigned char *identity = malloc(identity_len);
    46. 

  46. +  size_t identity_len;
    47. 

  47. +  unsigned char *identity;
    48. 

  48.    CURLcode result = CURLE_OK;
    49. 

  49.  
    50. 

  50. +  /* we do the length checks below separately to avoid integer overflow risk
    51. 

  51. +     on extreme data lengths */
    52. 

  52. +  if((userlen > SIZE_T_MAX/2) ||
    53. 

  53. +     (domlen > SIZE_T_MAX/2) ||
    54. 

  54. +     ((userlen + domlen) > SIZE_T_MAX/2))
    55. 

  55. +    return CURLE_OUT_OF_MEMORY;
    56. 

  56. +
    57. 

  57. +  identity_len = (userlen + domlen) * 2;
    58. 

  58. +  identity = malloc(identity_len);
    59. 

  59. +
    60. 

  60.    if(!identity)
    61. 

  61.      return CURLE_OUT_OF_MEMORY;
    62. 

  62.  
    63. 

  63.    ascii_uppercase_to_unicode_le(identity, user, userlen);
    64. 

  64.    ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
    65. 

  65. -- 
    66. 

  66. 2.15.0
    67. 

  67.