File curl-7.37.0-CVE-2017-8816.patch of Package curl.15496

Overview Repositories Revisions Requests Users Attributes Meta

File curl-7.37.0-CVE-2017-8816.patch of Package curl.15496

@@ -, +, @@ 
---
 lib/curl_ntlm_core.c | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)
Index: curl-7.37.0/lib/curl_ntlm_core.c
===================================================================
--- curl-7.37.0.orig/lib/curl_ntlm_core.c
+++ curl-7.37.0/lib/curl_ntlm_core.c
@@ -492,6 +492,12 @@ CURLcode Curl_hmac_md5(const unsigned ch
   return CURLE_OK;
 }
 
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+
 /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
  * (uppercase UserName + Domain) as the data
  */
@@ -501,10 +507,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
                                        unsigned char *ntlmv2hash)
 {
   /* Unicode representation */
-  size_t identity_len = (userlen + domlen) * 2;
-  unsigned char *identity = malloc(identity_len);
+  size_t identity_len;
+  unsigned char *identity;
   CURLcode res = CURLE_OK;
 
+ /* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
+  if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
   if(!identity)
     return CURLE_OUT_OF_MEMORY;

Places

File curl-7.37.0-CVE-2017-8816.patch of Package curl.15496

Places