openwrt/package/network/utils/curl/patches/105-CVE-2017-8816.patch

From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Nov 2017 23:51:52 +0100
Subject: [PATCH] ntlm: avoid integer overflow for malloc size

Reported-by: Alex Nichols
Assisted-by: Kamil Dudka and Max Dymond

CVE-2017-8816

Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
---
 lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 1309bf0d9..e8962769c 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
   Curl_HMAC_final(ctxt, output);
 
   return CURLE_OK;
 }
 
+#ifndef SIZE_T_MAX
+/* some limits.h headers have this defined, some don't */
+#if defined(_LP64) || defined(_I32LPx)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+#endif
+
 /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
  * (uppercase UserName + Domain) as the data
  */
 CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
                                        const char *domain, size_t domlen,
                                        unsigned char *ntlmhash,
                                        unsigned char *ntlmv2hash)
 {
   /* Unicode representation */
-  size_t identity_len = (userlen + domlen) * 2;
-  unsigned char *identity = malloc(identity_len);
+  size_t identity_len;
+  unsigned char *identity;
   CURLcode result = CURLE_OK;
 
+  /* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
+  if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
   if(!identity)
     return CURLE_OUT_OF_MEMORY;
 
   ascii_uppercase_to_unicode_le(identity, user, userlen);
   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
-- 
2.15.0
curl: apply CVE 2017-8816 and 2017-8817 security patches This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org> 2017-12-03 11:09:20 +00:00			`From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Mon, 6 Nov 2017 23:51:52 +0100`
			`Subject: [PATCH] ntlm: avoid integer overflow for malloc size`

			`Reported-by: Alex Nichols`
			`Assisted-by: Kamil Dudka and Max Dymond`

			`CVE-2017-8816`

			`Bug: https://curl.haxx.se/docs/adv_2017-11e7.html`
			`---`
			`lib/curl_ntlm_core.c \| 23 +++++++++++++++++++++--`
			`1 file changed, 21 insertions(+), 2 deletions(-)`

			`diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c`
			`index 1309bf0d9..e8962769c 100644`
			`--- a/lib/curl_ntlm_core.c`
			`+++ b/lib/curl_ntlm_core.c`
			`@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,`
			`Curl_HMAC_final(ctxt, output);`

			`return CURLE_OK;`
			`}`

			`+#ifndef SIZE_T_MAX`
			`+/* some limits.h headers have this defined, some don't */`
			`+#if defined(_LP64) \|\| defined(_I32LPx)`
			`+#define SIZE_T_MAX 18446744073709551615U`
			`+#else`
			`+#define SIZE_T_MAX 4294967295U`
			`+#endif`
			`+#endif`
			`+`
			`/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode`
			`* (uppercase UserName + Domain) as the data`
			`*/`
			`CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,`
			`const char *domain, size_t domlen,`
			`unsigned char *ntlmhash,`
			`unsigned char *ntlmv2hash)`
			`{`
			`/* Unicode representation */`
			`- size_t identity_len = (userlen + domlen) * 2;`
			`- unsigned char *identity = malloc(identity_len);`
			`+ size_t identity_len;`
			`+ unsigned char *identity;`
			`CURLcode result = CURLE_OK;`

			`+ /* we do the length checks below separately to avoid integer overflow risk`
			`+ on extreme data lengths */`
			`+ if((userlen > SIZE_T_MAX/2) \|\|`
			`+ (domlen > SIZE_T_MAX/2) \|\|`
			`+ ((userlen + domlen) > SIZE_T_MAX/2))`
			`+ return CURLE_OUT_OF_MEMORY;`
			`+`
			`+ identity_len = (userlen + domlen) * 2;`
			`+ identity = malloc(identity_len);`
			`+`
			`if(!identity)`
			`return CURLE_OUT_OF_MEMORY;`

			`ascii_uppercase_to_unicode_le(identity, user, userlen);`
			`ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);`
			`--`
			`2.15.0`