--- /dev/null
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+
+CVE-2017-8816
+
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
++++ b/lib/curl_ntlm_core.c
+@@ -616,23 +616,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+ Curl_HMAC_final(ctxt, output);
+
+ return CURLE_OK;
+ }
+
++#ifndef SIZE_T_MAX
++/* some limits.h headers have this defined, some don't */
++#if defined(_LP64) || defined(_I32LPx)
++#define SIZE_T_MAX 18446744073709551615U
++#else
++#define SIZE_T_MAX 4294967295U
++#endif
++#endif
++
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+ * (uppercase UserName + Domain) as the data
+ */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+ const char *domain, size_t domlen,
+ unsigned char *ntlmhash,
+ unsigned char *ntlmv2hash)
+ {
+ /* Unicode representation */
+- size_t identity_len = (userlen + domlen) * 2;
+- unsigned char *identity = malloc(identity_len);
++ size_t identity_len;
++ unsigned char *identity;
+ CURLcode result = CURLE_OK;
+
++ /* we do the length checks below separately to avoid integer overflow risk
++ on extreme data lengths */
++ if((userlen > SIZE_T_MAX/2) ||
++ (domlen > SIZE_T_MAX/2) ||
++ ((userlen + domlen) > SIZE_T_MAX/2))
++ return CURLE_OUT_OF_MEMORY;
++
++ identity_len = (userlen + domlen) * 2;
++ identity = malloc(identity_len);
++
+ if(!identity)
+ return CURLE_OUT_OF_MEMORY;
+
+ ascii_uppercase_to_unicode_le(identity, user, userlen);
+ ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+--
+2.15.0
+
--- /dev/null
+From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 10 Nov 2017 08:52:45 +0100
+Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
+
+The code would previous read beyond the end of the pattern string if the
+match pattern ends with an open bracket when the default pattern
+matching function is used.
+
+Detected by OSS-Fuzz:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
+
+CVE-2017-8817
+
+Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
+---
+ lib/curl_fnmatch.c | 9 +++------
+ tests/data/Makefile.inc | 2 +-
+ tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 56 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/test1163
+
+diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
+index da83393b4..8a1e106c4 100644
+--- a/lib/curl_fnmatch.c
++++ b/lib/curl_fnmatch.c
+@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+ unsigned char lastchar = 0;
+ bool something_found = FALSE;
+ unsigned char c;
+ for(;;) {
+ c = **p;
++ if(!c)
++ return SETCHARSET_FAIL;
++
+ switch(state) {
+ case CURLFNM_SCHS_DEFAULT:
+ if(ISALNUM(c)) { /* ASCII value */
+ rangestart = c;
+ charset[c] = 1;
+@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+ (*p)++;
+ }
+ else
+ return SETCHARSET_FAIL;
+ }
+- else if(c == '\0') {
+- return SETCHARSET_FAIL;
+- }
+ else {
+ charset[c] = 1;
+ (*p)++;
+ something_found = TRUE;
+ }
+@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
+ (*p)++;
+ }
+ else if(c == ']') {
+ return SETCHARSET_OK;
+ }
+- else if(c == '\0') {
+- return SETCHARSET_FAIL;
+- }
+ else if(ISPRINT(c)) {
+ charset[c] = 1;
+ (*p)++;
+ state = CURLFNM_SCHS_DEFAULT;
+ }
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index dc1cc03bc..6eb37d81d 100644
+--- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000
++++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000
+@@ -121,6 +121,7 @@
+ test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
+ test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
+ test1144 \
++test1163 \
+ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
+ test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
+ test1216 test1217 test1218 test1219 \
+diff --git a/tests/data/test1163 b/tests/data/test1163
+new file mode 100644
+index 000000000..a109b511b
+--- /dev/null
++++ b/tests/data/test1163
+@@ -0,0 +1,52 @@
++<testcase>
++<info>
++<keywords>
++FTP
++RETR
++LIST
++wildcardmatch
++ftplistparser
++flaky
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++</data>
++</reply>
++
++# Client-side
++<client>
++<server>
++ftp
++</server>
++<tool>
++lib576
++</tool>
++<name>
++FTP wildcard with pattern ending with an open-bracket
++</name>
++<command>
++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
++</command>
++</client>
++<verify>
++<protocol>
++USER anonymous
++PASS ftp@example.com
++PWD
++CWD fully_simulated
++CWD DOS
++EPSV
++TYPE A
++LIST
++QUIT
++</protocol>
++# 78 == CURLE_REMOTE_FILE_NOT_FOUND
++<errorcode>
++78
++</errorcode>
++</verify>
++</testcase>
+--
+2.15.0
+
projects / openwrt / openwrt.git / commitdiff