mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-10 15:03:07 +00:00
060b7f1fbb
This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org>
68 lines
2.1 KiB
Diff
68 lines
2.1 KiB
Diff
From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 6 Nov 2017 23:51:52 +0100
|
|
Subject: [PATCH] ntlm: avoid integer overflow for malloc size
|
|
|
|
Reported-by: Alex Nichols
|
|
Assisted-by: Kamil Dudka and Max Dymond
|
|
|
|
CVE-2017-8816
|
|
|
|
Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
|
|
---
|
|
lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
|
|
1 file changed, 21 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
|
|
index 1309bf0d9..e8962769c 100644
|
|
--- a/lib/curl_ntlm_core.c
|
|
+++ b/lib/curl_ntlm_core.c
|
|
@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
|
|
Curl_HMAC_final(ctxt, output);
|
|
|
|
return CURLE_OK;
|
|
}
|
|
|
|
+#ifndef SIZE_T_MAX
|
|
+/* some limits.h headers have this defined, some don't */
|
|
+#if defined(_LP64) || defined(_I32LPx)
|
|
+#define SIZE_T_MAX 18446744073709551615U
|
|
+#else
|
|
+#define SIZE_T_MAX 4294967295U
|
|
+#endif
|
|
+#endif
|
|
+
|
|
/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
|
|
* (uppercase UserName + Domain) as the data
|
|
*/
|
|
CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
|
|
const char *domain, size_t domlen,
|
|
unsigned char *ntlmhash,
|
|
unsigned char *ntlmv2hash)
|
|
{
|
|
/* Unicode representation */
|
|
- size_t identity_len = (userlen + domlen) * 2;
|
|
- unsigned char *identity = malloc(identity_len);
|
|
+ size_t identity_len;
|
|
+ unsigned char *identity;
|
|
CURLcode result = CURLE_OK;
|
|
|
|
+ /* we do the length checks below separately to avoid integer overflow risk
|
|
+ on extreme data lengths */
|
|
+ if((userlen > SIZE_T_MAX/2) ||
|
|
+ (domlen > SIZE_T_MAX/2) ||
|
|
+ ((userlen + domlen) > SIZE_T_MAX/2))
|
|
+ return CURLE_OUT_OF_MEMORY;
|
|
+
|
|
+ identity_len = (userlen + domlen) * 2;
|
|
+ identity = malloc(identity_len);
|
|
+
|
|
if(!identity)
|
|
return CURLE_OUT_OF_MEMORY;
|
|
|
|
ascii_uppercase_to_unicode_le(identity, user, userlen);
|
|
ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
|
|
--
|
|
2.15.0
|
|
|