Permalink
Browse files

ntlm: fix *_type3_message size check to avoid buffer overflow

Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822
  • Loading branch information...
bagder committed Jan 3, 2019
1 parent b780b30 commit 50c9484278c63b958655a717844f0721263939cc
Showing with 7 additions and 4 deletions.
  1. +7 −4 lib/vauth/ntlm.c
@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
});

#ifdef USE_NTRESPONSES
if(size < (NTLM_BUFSIZE - ntresplen)) {
DEBUGASSERT(size == (size_t)ntrespoff);
memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
size += ntresplen;
/* ntresplen + size should not be risking an integer overflow here */
if(ntresplen + size > sizeof(ntlmbuf)) {
failf(data, "incoming NTLM message too big");
return CURLE_OUT_OF_MEMORY;
}
DEBUGASSERT(size == (size_t)ntrespoff);
memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
size += ntresplen;

DEBUG_OUT({
fprintf(stderr, "\n ntresp=");

0 comments on commit 50c9484

Please sign in to comment.