search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gbuild: ExternalProject: improve NMAKE handling
[LibreOffice.git] / external / curl / CVE-2017-8816.patch
blobdd4fa677e03f0807e37877859335b4d24d5bc3b4
1 From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Mon, 6 Nov 2017 23:51:52 +0100
4 Subject: [PATCH] ntlm: avoid integer overflow for malloc size
5
6 Reported-by: Alex Nichols
7 Assisted-by: Kamil Dudka and Max Dymond
8
9 CVE-2017-8816
10
11 Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
12 ---
13 lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
14 1 file changed, 21 insertions(+), 2 deletions(-)
15
16 diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
17 index 1309bf0d9..e8962769c 100644
18 --- a/lib/curl_ntlm_core.c
19 +++ b/lib/curl_ntlm_core.c
20 @@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
21 Curl_HMAC_final(ctxt, output);
22
23 return CURLE_OK;
24 }
25
26 +#ifndef SIZE_T_MAX
27 +/* some limits.h headers have this defined, some don't */
28 +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
29 +#define SIZE_T_MAX 18446744073709551615U
30 +#else
31 +#define SIZE_T_MAX 4294967295U
32 +#endif
33 +#endif
34 +
35 /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
36 * (uppercase UserName + Domain) as the data
37 */
38 CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
39 const char *domain, size_t domlen,
40 unsigned char *ntlmhash,
41 unsigned char *ntlmv2hash)
42 {
43 /* Unicode representation */
44 - size_t identity_len = (userlen + domlen) * 2;
45 - unsigned char *identity = malloc(identity_len);
46 + size_t identity_len;
47 + unsigned char *identity;
48 CURLcode result = CURLE_OK;
49
50 + /* we do the length checks below separately to avoid integer overflow risk
51 + on extreme data lengths */
52 + if((userlen > SIZE_T_MAX/2) ||
53 + (domlen > SIZE_T_MAX/2) ||
54 + ((userlen + domlen) > SIZE_T_MAX/2))
55 + return CURLE_OUT_OF_MEMORY;
56 +
57 + identity_len = (userlen + domlen) * 2;
58 + identity = malloc(identity_len);
59 +
60 if(!identity)
61 return CURLE_OUT_OF_MEMORY;
62
63 ascii_uppercase_to_unicode_le(identity, user, userlen);
64 ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
65 --
66 2.15.0
67
FREE OFFICE SUITE