| blob | deb3edb3bccf098dc301df7d754f1ebda7ce45e8 |
1 From 50c9484278c63b958655a717844f0721263939cc Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Thu, 3 Jan 2019 12:59:28 +0100
4 Subject: [PATCH] ntlm: fix *_type3_message size check to avoid buffer overflow
6 Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
7 Reported-by: Wenxiang Qian
8 CVE-2019-3822
9 ---
10 lib/vauth/ntlm.c | 11 +++++++----
11 1 file changed, 7 insertions(+), 4 deletions(-)
13 diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
14 index 0ad4d972e3..6a8fc5ab3d 100644
15 --- a/lib/vauth/ntlm.c
16 +++ b/lib/vauth/ntlm.c
17 @@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
18 });
20 #if USE_NTRESPONSES
21 - if(size < (NTLM_BUFSIZE - ntresplen)) {
22 - DEBUGASSERT(size == (size_t)ntrespoff);
23 - memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
24 - size += ntresplen;
25 + /* ntresplen + size should not be risking an integer overflow here */
26 + if(ntresplen + size > sizeof(ntlmbuf)) {
27 + failf(data, "incoming NTLM message too big");
28 + return CURLE_OUT_OF_MEMORY;
29 }
30 + DEBUGASSERT(size == (size_t)ntrespoff);
31 + memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
32 + size += ntresplen;
34 DEBUG_OUT({
35 fprintf(stderr, "\n ntresp=");