Unverified Commit 50c94842 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

ntlm: fix *_type3_message size check to avoid buffer overflow 

Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
parent b780b30d

lib/vauth/ntlm.c

+7 −4
Original line number Diff line number Diff line
@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data, 
  });



#ifdef USE_NTRESPONSES

  if(size < (NTLM_BUFSIZE - ntresplen)) {

  /* ntresplen + size should not be risking an integer overflow here */

  if(ntresplen + size > sizeof(ntlmbuf)) {

    failf(data, "incoming NTLM message too big");

    return CURLE_OUT_OF_MEMORY;

  }

  DEBUGASSERT(size == (size_t)ntrespoff);

  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);

  size += ntresplen;

  }



  DEBUG_OUT({

    fprintf(stderr, "\n   ntresp=");