diff options
Diffstat (limited to 'package/network/utils/curl/patches/407-CVE-2018-16890.patch')
-rw-r--r-- | package/network/utils/curl/patches/407-CVE-2018-16890.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/407-CVE-2018-16890.patch b/package/network/utils/curl/patches/407-CVE-2018-16890.patch new file mode 100644 index 0000000000..9a51243ee3 --- /dev/null +++ b/package/network/utils/curl/patches/407-CVE-2018-16890.patch @@ -0,0 +1,37 @@ +From b780b30d1377adb10bbe774835f49e9b237fb9bb Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 2 Jan 2019 20:33:08 +0100 +Subject: [PATCH] NTLM: fix size check condition for type2 received data + +Bug: https://curl.haxx.se/docs/CVE-2018-16890.html +Reported-by: Wenxiang Qian +CVE-2018-16890 +--- + lib/vauth/ntlm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/lib/vauth/ntlm.c ++++ b/lib/vauth/ntlm.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -182,10 +182,11 @@ static CURLcode ntlm_decode_type2_target + target_info_len = Curl_read16_le(&buffer[40]); + target_info_offset = Curl_read32_le(&buffer[44]); + if(target_info_len > 0) { +- if(((target_info_offset + target_info_len) > size) || ++ if((target_info_offset >= size) || ++ ((target_info_offset + target_info_len) > size) || + (target_info_offset < 48)) { + infof(data, "NTLM handshake failure (bad type-2 message). " +- "Target Info Offset Len is set incorrect by the peer\n"); ++ "Target Info Offset Len is set incorrect by the peer\n"); + return CURLE_BAD_CONTENT_ENCODING; + } + |