105-CVE-2017-8816.patch 2.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
  1. From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
  2. From: Daniel Stenberg <daniel@haxx.se>
  3. Date: Mon, 6 Nov 2017 23:51:52 +0100
  4. Subject: [PATCH] ntlm: avoid integer overflow for malloc size
  5. Reported-by: Alex Nichols
  6. Assisted-by: Kamil Dudka and Max Dymond
  7. CVE-2017-8816
  8. Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
  9. ---
  10. lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
  11. 1 file changed, 21 insertions(+), 2 deletions(-)
  12. diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
  13. index 1309bf0d9..e8962769c 100644
  14. --- a/lib/curl_ntlm_core.c
  15. +++ b/lib/curl_ntlm_core.c
  16. @@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
  17. Curl_HMAC_final(ctxt, output);
  18. return CURLE_OK;
  19. }
  20. +#ifndef SIZE_T_MAX
  21. +/* some limits.h headers have this defined, some don't */
  22. +#if defined(_LP64) || defined(_I32LPx)
  23. +#define SIZE_T_MAX 18446744073709551615U
  24. +#else
  25. +#define SIZE_T_MAX 4294967295U
  26. +#endif
  27. +#endif
  28. +
  29. /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
  30. * (uppercase UserName + Domain) as the data
  31. */
  32. CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
  33. const char *domain, size_t domlen,
  34. unsigned char *ntlmhash,
  35. unsigned char *ntlmv2hash)
  36. {
  37. /* Unicode representation */
  38. - size_t identity_len = (userlen + domlen) * 2;
  39. - unsigned char *identity = malloc(identity_len);
  40. + size_t identity_len;
  41. + unsigned char *identity;
  42. CURLcode result = CURLE_OK;
  43. + /* we do the length checks below separately to avoid integer overflow risk
  44. + on extreme data lengths */
  45. + if((userlen > SIZE_T_MAX/2) ||
  46. + (domlen > SIZE_T_MAX/2) ||
  47. + ((userlen + domlen) > SIZE_T_MAX/2))
  48. + return CURLE_OUT_OF_MEMORY;
  49. +
  50. + identity_len = (userlen + domlen) * 2;
  51. + identity = malloc(identity_len);
  52. +
  53. if(!identity)
  54. return CURLE_OUT_OF_MEMORY;
  55. ascii_uppercase_to_unicode_le(identity, user, userlen);
  56. ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
  57. --
  58. 2.15.0