ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2024-12-31 19:17:12 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity
dc1b578a4c
openwrt/package/network/utils/curl/patches/401-CVE-2018-14618.patch

33 lines
1012 B
Diff
Raw Normal View History

curl: Fix multiple security problems This fixes the following security problems: * CVE-2018-14618: NTLM password overflow via integer overflow * CVE-2018-16839: SASL password overflow via integer overflow * CVE-2018-16840: use-after-free in handle close * CVE-2018-16842: warning message out-of-buffer read * CVE-2019-3823: SMTP end-of-response out-of-bounds read * CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow * CVE-2018-16890: NTLM type-2 out-of-bounds buffer read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-05-17 20:40:26 +00:00
From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 13 Aug 2018 10:35:52 +0200
Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
... since it would cause an integer overflow if longer than (max size_t
/ 2).
This is CVE-2018-14618
Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
Closes #2756
Reported-by: Zhaoyang Wu
---
lib/curl_ntlm_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struc
unsigned char *ntbuffer /* 21 bytes */)
{
size_t len = strlen(password);
- unsigned char *pw = len ? malloc(len * 2) : strdup("");
+ unsigned char *pw;
CURLcode result;
+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
+ return CURLE_OUT_OF_MEMORY;
+ pw = len ? malloc(len * 2) : strdup("");
if(!pw)
return CURLE_OUT_OF_MEMORY;
Reference in New Issue Copy Permalink