Unverified Commit b780b30d authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

NTLM: fix size check condition for type2 received data 

Bug: https://curl.haxx.se/docs/CVE-2018-16890.html
Reported-by: Wenxiang Qian
CVE-2018-16890
parent a730432e

lib/vauth/ntlm.c

+4 −3
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
 *                            | (__| |_| |  _ <| |___

 *                             \___|\___/|_| \_\_____|

 *

 * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.

 * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.

 *

 * This software is licensed as described in the file COPYING, which

 * you should have received as part of this distribution. The terms
@@ -182,7 +182,8 @@ static CURLcode ntlm_decode_type2_target(struct Curl_easy *data, 
    target_info_len = Curl_read16_le(&buffer[40]);

    target_info_offset = Curl_read32_le(&buffer[44]);

    if(target_info_len > 0) {

      if(((target_info_offset + target_info_len) > size) ||

      if((target_info_offset >= size) ||

         ((target_info_offset + target_info_len) > size) ||

         (target_info_offset < 48)) {

        infof(data, "NTLM handshake failure (bad type-2 message). "

              "Target Info Offset Len is set incorrect by the peer\n");