137 lines
4.3 KiB
Diff
137 lines
4.3 KiB
Diff
|
From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Tue, 20 Mar 2018 15:15:14 +0100
|
||
|
Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check
|
||
|
|
||
|
Make the integer overflow check not rely on the undefined behavior that
|
||
|
a size_t wraps around on overflow.
|
||
|
|
||
|
Detected by lgtm.com
|
||
|
Closes #2408
|
||
|
|
||
|
Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/curl_ntlm_core.c | 11 +----------
|
||
|
lib/curl_setup.h | 9 +++++++++
|
||
|
lib/vauth/cleartext.c | 14 ++++----------
|
||
|
3 files changed, 14 insertions(+), 20 deletions(-)
|
||
|
|
||
|
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
|
||
|
index e5c785d..b69c293 100644
|
||
|
--- a/lib/curl_ntlm_core.c
|
||
|
+++ b/lib/curl_ntlm_core.c
|
||
|
@@ -5,7 +5,7 @@
|
||
|
* | (__| |_| | _ <| |___
|
||
|
* \___|\___/|_| \_\_____|
|
||
|
*
|
||
|
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||
|
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||
|
*
|
||
|
* This software is licensed as described in the file COPYING, which
|
||
|
* you should have received as part of this distribution. The terms
|
||
|
@@ -143,15 +143,6 @@
|
||
|
#define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00"
|
||
|
#define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4)
|
||
|
|
||
|
-#ifndef SIZE_T_MAX
|
||
|
-/* some limits.h headers have this defined, some don't */
|
||
|
-#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||
|
-#define SIZE_T_MAX 18446744073709551615U
|
||
|
-#else
|
||
|
-#define SIZE_T_MAX 4294967295U
|
||
|
-#endif
|
||
|
-#endif
|
||
|
-
|
||
|
/*
|
||
|
* Turns a 56-bit key into being 64-bit wide.
|
||
|
*/
|
||
|
diff --git a/lib/curl_setup.h b/lib/curl_setup.h
|
||
|
index f128696..e4503c6 100644
|
||
|
--- a/lib/curl_setup.h
|
||
|
+++ b/lib/curl_setup.h
|
||
|
@@ -447,6 +447,15 @@
|
||
|
# endif
|
||
|
#endif
|
||
|
|
||
|
+#ifndef SIZE_T_MAX
|
||
|
+/* some limits.h headers have this defined, some don't */
|
||
|
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
|
||
|
+#define SIZE_T_MAX 18446744073709551615U
|
||
|
+#else
|
||
|
+#define SIZE_T_MAX 4294967295U
|
||
|
+#endif
|
||
|
+#endif
|
||
|
+
|
||
|
/*
|
||
|
* Arg 2 type for gethostname in case it hasn't been defined in config file.
|
||
|
*/
|
||
|
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
|
||
|
index a761ae7..5d61ce6 100644
|
||
|
--- a/lib/vauth/cleartext.c
|
||
|
+++ b/lib/vauth/cleartext.c
|
||
|
@@ -5,7 +5,7 @@
|
||
|
* | (__| |_| | _ <| |___
|
||
|
* \___|\___/|_| \_\_____|
|
||
|
*
|
||
|
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||
|
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||
|
*
|
||
|
* This software is licensed as described in the file COPYING, which
|
||
|
* you should have received as part of this distribution. The terms
|
||
|
@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
||
|
ulen = strlen(userp);
|
||
|
plen = strlen(passwdp);
|
||
|
|
||
|
- /* Compute binary message length, checking for overflows. */
|
||
|
- plainlen = 2 * ulen;
|
||
|
- if(plainlen < ulen)
|
||
|
- return CURLE_OUT_OF_MEMORY;
|
||
|
- plainlen += plen;
|
||
|
- if(plainlen < plen)
|
||
|
- return CURLE_OUT_OF_MEMORY;
|
||
|
- plainlen += 2;
|
||
|
- if(plainlen < 2)
|
||
|
+ /* Compute binary message length. Check for overflows. */
|
||
|
+ if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
|
||
|
return CURLE_OUT_OF_MEMORY;
|
||
|
+ plainlen = 2 * ulen + plen + 2;
|
||
|
|
||
|
plainauth = malloc(plainlen);
|
||
|
if(!plainauth)
|
||
|
--
|
||
|
2.17.2
|
||
|
|
||
|
|
||
|
From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Fri, 28 Sep 2018 16:08:16 +0200
|
||
|
Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check
|
||
|
|
||
|
CVE-2018-16839
|
||
|
Reported-by: Harry Sintonen
|
||
|
Bug: https://curl.haxx.se/docs/CVE-2018-16839.html
|
||
|
|
||
|
Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5
|
||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||
|
---
|
||
|
lib/vauth/cleartext.c | 2 +-
|
||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
|
||
|
index 5d61ce6..1367143 100644
|
||
|
--- a/lib/vauth/cleartext.c
|
||
|
+++ b/lib/vauth/cleartext.c
|
||
|
@@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
|
||
|
plen = strlen(passwdp);
|
||
|
|
||
|
/* Compute binary message length. Check for overflows. */
|
||
|
- if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
|
||
|
+ if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
|
||
|
return CURLE_OUT_OF_MEMORY;
|
||
|
plainlen = 2 * ulen + plen + 2;
|
||
|
|
||
|
--
|
||
|
2.17.2
|
||
|
|