package/network/utils/curl/patches/107-CVE-2017-8816.patch

   1 From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Mon, 6 Nov 2017 23:51:52 +0100
   4 Subject: [PATCH] ntlm: avoid integer overflow for malloc size
   5
   6 Reported-by: Alex Nichols
   7 Assisted-by: Kamil Dudka and Max Dymond
   8
   9 CVE-2017-8816
  10
  11 Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
  12 ---
  13  lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
  14  1 file changed, 21 insertions(+), 2 deletions(-)
  15
  16 --- a/lib/curl_ntlm_core.c
  17 +++ b/lib/curl_ntlm_core.c
  18 @@ -618,6 +618,15 @@ CURLcode Curl_hmac_md5(const unsigned ch
  19    return CURLE_OK;
  20  }
  21
  22 +#ifndef SIZE_T_MAX
  23 +/* some limits.h headers have this defined, some don't */
  24 +#if defined(_LP64) || defined(_I32LPx)
  25 +#define SIZE_T_MAX 18446744073709551615U
  26 +#else
  27 +#define SIZE_T_MAX 4294967295U
  28 +#endif
  29 +#endif
  30 +
  31  /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
  32   * (uppercase UserName + Domain) as the data
  33   */
  34 @@ -627,10 +636,20 @@ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(c
  35                                         unsigned char *ntlmv2hash)
  36  {
  37    /* Unicode representation */
  38 -  size_t identity_len = (userlen + domlen) * 2;
  39 -  unsigned char *identity = malloc(identity_len);
  40 +  size_t identity_len;
  41 +  unsigned char *identity;
  42    CURLcode result = CURLE_OK;
  43
  44 +  /* we do the length checks below separately to avoid integer overflow risk
  45 +     on extreme data lengths */
  46 +  if((userlen > SIZE_T_MAX/2) ||
  47 +     (domlen > SIZE_T_MAX/2) ||
  48 +     ((userlen + domlen) > SIZE_T_MAX/2))
  49 +    return CURLE_OUT_OF_MEMORY;
  50 +
  51 +  identity_len = (userlen + domlen) * 2;
  52 +  identity = malloc(identity_len);
  53 +
  54    if(!identity)
  55      return CURLE_OUT_OF_MEMORY;
  56