1 files changed, 56 insertions, 0 deletions

diff --git a/package/network/utils/curl/patches/107-CVE-2017-8816.patch b/package/network/utils/curl/patches/107-CVE-2017-8816.patch
new file mode 100644
index 0000000000..27775b0d81
--- /dev/null
+++ b/package/network/utils/curl/patches/107-CVE-2017-8816.patch
@@ -0,0 +1,56 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch
+   return CURLE_OK;
+ }
+ 
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(_LP64) || defined(_I32LPx)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+@@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
+                                        unsigned char *ntlmv2hash)
+ {
+   /* Unicode representation */
+-  size_t identity_len = (userlen + domlen) * 2;
+-  unsigned char *identity = malloc(identity_len);
++  size_t identity_len;
++  unsigned char *identity;
+   CURLcode result = CURLE_OK;
+ 
++  /* we do the length checks below separately to avoid integer overflow risk
++     on extreme data lengths */
++  if((userlen > SIZE_T_MAX/2) ||
++     (domlen > SIZE_T_MAX/2) ||
++     ((userlen + domlen) > SIZE_T_MAX/2))
++    return CURLE_OUT_OF_MEMORY;
++
++  identity_len = (userlen + domlen) * 2;
++  identity = malloc(identity_len);
++
+   if(!identity)
+     return CURLE_OUT_OF_MEMORY;
+