Unverified Commit 57d299a4 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

Curl_ntlm_core_mk_nt_hash: return error on too long password 

... since it would cause an integer overflow if longer than (max size_t
/ 2).

This is CVE-2018-14618

Bug: https://curl.haxx.se/docs/CVE-2018-14618.html
Closes #2756
Reported-by: Zhaoyang Wu
parent 19ebc282

lib/curl_ntlm_core.c

+4 −1
Original line number Diff line number Diff line
@@ -557,8 +557,11 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, 
                                   unsigned char *ntbuffer /* 21 bytes */)

{

  size_t len = strlen(password);

  unsigned char *pw = len ? malloc(len * 2) : strdup("");

  unsigned char *pw;

  CURLcode result;

  if(len > SIZE_T_MAX/2) /* avoid integer overflow */

    return CURLE_OUT_OF_MEMORY;

  pw = len ? malloc(len * 2) : strdup("");

  if(!pw)

    return CURLE_OUT_OF_MEMORY;