| blob | 40f08e7305c102280e67b6e88fc887661c2d9d13 |
1 From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Mon, 13 Aug 2018 10:35:52 +0200
4 Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
6 ... since it would cause an integer overflow if longer than (max size_t
7 / 2).
9 This is CVE-2018-14618
11 Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
12 Closes #2756
13 Reported-by: Zhaoyang Wu
14 ---
15 lib/curl_ntlm_core.c | 5 ++++-
16 1 file changed, 4 insertions(+), 1 deletion(-)
18 diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
19 index e27cab353c..922e85a926 100644
20 --- a/lib/curl_ntlm_core.c
21 +++ b/lib/curl_ntlm_core.c
22 @@ -526,6 +526,15 @@
24 #endif /* USE_NTLM_V2 && !USE_WINDOWS_SSPI */
26 +#ifndef SIZE_T_MAX
27 +/* some limits.h headers have this defined, some don't */
28 +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
29 +#define SIZE_T_MAX 18446744073709551615U
30 +#else
31 +#define SIZE_T_MAX 4294967295U
32 +#endif
33 +#endif
34 +
35 /*
36 * Set up nt hashed passwords
37 * @unittest: 1600
38 @@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
39 unsigned char *ntbuffer /* 21 bytes */)
40 {
41 size_t len = strlen(password);
42 - unsigned char *pw = malloc(len * 2);
43 + unsigned char *pw;
44 CURLcode result;
45 + if(len > SIZE_T_MAX/2) /* avoid integer overflow */
46 + return CURLE_OUT_OF_MEMORY;
47 + pw = len ? malloc(len * 2) : strdup("");
48 if(!pw)
49 return CURLE_OUT_OF_MEMORY;
51 @@ -621,15 +630,6 @@
52 return CURLE_OK;
53 }
55 -#ifndef SIZE_T_MAX
56 -/* some limits.h headers have this defined, some don't */
57 -#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
58 -#define SIZE_T_MAX 18446744073709551615U
59 -#else
60 -#define SIZE_T_MAX 4294967295U
61 -#endif
62 -#endif
63 -
64 /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
65 * (uppercase UserName + Domain) as the data
66 */