From 4df8ff21144236497fc92521d79fbca2dc079686 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Mar 2018 15:15:14 +0100 Subject: [PATCH 1/2] vauth/cleartext: fix integer overflow check Make the integer overflow check not rely on the undefined behavior that a size_t wraps around on overflow. Detected by lgtm.com Closes #2408 Upstream-commit: c1366571b609407cf0d4d9f4a2769d29e1313151 Signed-off-by: Kamil Dudka --- lib/curl_ntlm_core.c | 11 +---------- lib/curl_setup.h | 9 +++++++++ lib/vauth/cleartext.c | 14 ++++---------- 3 files changed, 14 insertions(+), 20 deletions(-) diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index e5c785d..b69c293 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -143,15 +143,6 @@ #define NTLMv2_BLOB_SIGNATURE "\x01\x01\x00\x00" #define NTLMv2_BLOB_LEN (44 -16 + ntlm->target_info_len + 4) -#ifndef SIZE_T_MAX -/* some limits.h headers have this defined, some don't */ -#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) -#define SIZE_T_MAX 18446744073709551615U -#else -#define SIZE_T_MAX 4294967295U -#endif -#endif - /* * Turns a 56-bit key into being 64-bit wide. */ diff --git a/lib/curl_setup.h b/lib/curl_setup.h index f128696..e4503c6 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -447,6 +447,15 @@ # endif #endif +#ifndef SIZE_T_MAX +/* some limits.h headers have this defined, some don't */ +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) +#define SIZE_T_MAX 18446744073709551615U +#else +#define SIZE_T_MAX 4294967295U +#endif +#endif + /* * Arg 2 type for gethostname in case it hasn't been defined in config file. */ diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index a761ae7..5d61ce6 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2018, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, ulen = strlen(userp); plen = strlen(passwdp); - /* Compute binary message length, checking for overflows. */ - plainlen = 2 * ulen; - if(plainlen < ulen) - return CURLE_OUT_OF_MEMORY; - plainlen += plen; - if(plainlen < plen) - return CURLE_OUT_OF_MEMORY; - plainlen += 2; - if(plainlen < 2) + /* Compute binary message length. Check for overflows. */ + if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; + plainlen = 2 * ulen + plen + 2; plainauth = malloc(plainlen); if(!plainauth) -- 2.17.2 From ad9943254ded9a983af7d581e8a1f3317e8a8781 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 28 Sep 2018 16:08:16 +0200 Subject: [PATCH 2/2] Curl_auth_create_plain_message: fix too-large-input-check CVE-2018-16839 Reported-by: Harry Sintonen Bug: https://curl.haxx.se/docs/CVE-2018-16839.html Upstream-commit: f3a24d7916b9173c69a3e0ee790102993833d6c5 Signed-off-by: Kamil Dudka --- lib/vauth/cleartext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index 5d61ce6..1367143 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -74,7 +74,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, plen = strlen(passwdp); /* Compute binary message length. Check for overflows. */ - if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2))) + if((ulen > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2))) return CURLE_OUT_OF_MEMORY; plainlen = 2 * ulen + plen + 2; -- 2.17.2