mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-29 01:59:02 +00:00
dc1b578a4c
This fixes the following security problems: * CVE-2018-14618: NTLM password overflow via integer overflow * CVE-2018-16839: SASL password overflow via integer overflow * CVE-2018-16840: use-after-free in handle close * CVE-2018-16842: warning message out-of-buffer read * CVE-2019-3823: SMTP end-of-response out-of-bounds read * CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow * CVE-2018-16890: NTLM type-2 out-of-bounds buffer read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
33 lines
1012 B
Diff
33 lines
1012 B
Diff
From 57d299a499155d4b327e341c6024e293b0418243 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 13 Aug 2018 10:35:52 +0200
|
|
Subject: [PATCH] Curl_ntlm_core_mk_nt_hash: return error on too long password
|
|
|
|
... since it would cause an integer overflow if longer than (max size_t
|
|
/ 2).
|
|
|
|
This is CVE-2018-14618
|
|
|
|
Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
|
|
Closes #2756
|
|
Reported-by: Zhaoyang Wu
|
|
---
|
|
lib/curl_ntlm_core.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
--- a/lib/curl_ntlm_core.c
|
|
+++ b/lib/curl_ntlm_core.c
|
|
@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struc
|
|
unsigned char *ntbuffer /* 21 bytes */)
|
|
{
|
|
size_t len = strlen(password);
|
|
- unsigned char *pw = len ? malloc(len * 2) : strdup("");
|
|
+ unsigned char *pw;
|
|
CURLcode result;
|
|
+ if(len > SIZE_T_MAX/2) /* avoid integer overflow */
|
|
+ return CURLE_OUT_OF_MEMORY;
|
|
+ pw = len ? malloc(len * 2) : strdup("");
|
|
if(!pw)
|
|
return CURLE_OUT_OF_MEMORY;
|
|
|