diff options
Diffstat (limited to 'package/network/utils/curl/patches/107-CVE-2017-8816.patch')
-rw-r--r-- | package/network/utils/curl/patches/107-CVE-2017-8816.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/107-CVE-2017-8816.patch b/package/network/utils/curl/patches/107-CVE-2017-8816.patch new file mode 100644 index 0000000000..27775b0d81 --- /dev/null +++ b/package/network/utils/curl/patches/107-CVE-2017-8816.patch @@ -0,0 +1,56 @@ +From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 6 Nov 2017 23:51:52 +0100 +Subject: [PATCH] ntlm: avoid integer overflow for malloc size + +Reported-by: Alex Nichols +Assisted-by: Kamil Dudka and Max Dymond + +CVE-2017-8816 + +Bug: https://curl.haxx.se/docs/adv_2017-11e7.html +--- + lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/lib/curl_ntlm_core.c ++++ b/lib/curl_ntlm_core.c +@@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch + return CURLE_OK; + } + ++#ifndef SIZE_T_MAX ++/* some limits.h headers have this defined, some don't */ ++#if defined(_LP64) || defined(_I32LPx) ++#define SIZE_T_MAX 18446744073709551615U ++#else ++#define SIZE_T_MAX 4294967295U ++#endif ++#endif ++ + /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode + * (uppercase UserName + Domain) as the data + */ +@@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c + unsigned char *ntlmv2hash) + { + /* Unicode representation */ +- size_t identity_len = (userlen + domlen) * 2; +- unsigned char *identity = malloc(identity_len); ++ size_t identity_len; ++ unsigned char *identity; + CURLcode result = CURLE_OK; + ++ /* we do the length checks below separately to avoid integer overflow risk ++ on extreme data lengths */ ++ if((userlen > SIZE_T_MAX/2) || ++ (domlen > SIZE_T_MAX/2) || ++ ((userlen + domlen) > SIZE_T_MAX/2)) ++ return CURLE_OUT_OF_MEMORY; ++ ++ identity_len = (userlen + domlen) * 2; ++ identity = malloc(identity_len); ++ + if(!identity) + return CURLE_OUT_OF_MEMORY; + |