ntlm: fix *_type3_message size check to avoid buffer overflow

Bug: https://curl.haxx.se/docs/CVE-2019-3822.html Reported-by: Wenxiang Qian CVE-2019-3822
curl · Jan 3, 2019 · 50c9484278c63b958655a717844f0721263939cc · 50c9484
1 parent b780b30
commit 50c9484278c63b958655a717844f0721263939cc
Unified Split

Showing with 7 additions and 4 deletions.

+7 −4 lib/vauth/ntlm.c
diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
@@ -779,11 +779,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
  });
 #ifdef USE_NTRESPONSES
-  
-  if(size < (NTLM_BUFSIZE - ntresplen)) {
-  
-    DEBUGASSERT(size == (size_t)ntrespoff);
-  
-    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
-  
-    size += ntresplen;
+  
+  /* ntresplen + size should not be risking an integer overflow here */
+  
+  if(ntresplen + size > sizeof(ntlmbuf)) {
+  
+    failf(data, "incoming NTLM message too big");
+  
+    return CURLE_OUT_OF_MEMORY;
  }
+  
+  DEBUGASSERT(size == (size_t)ntrespoff);
+  
+  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+  
+  size += ntresplen;
  DEBUG_OUT({
    fprintf(stderr, "\n   ntresp=");