1 files changed, 69 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch
new file mode 100644
index 0000000..9b957ce
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-8816.patch
@@ -0,0 +1,69 @@
+From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 6 Nov 2017 23:51:52 +0100
+Subject: [PATCH] ntlm: avoid integer overflow for malloc size
+Reported-by: Alex Nichols
+Assisted-by: Kamil Dudka and Max Dymond
+CVE: CVE-2017-8816
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch]
+Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/curl_ntlm_core.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
+index 1309bf0d9..e8962769c 100644
+--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
+@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
+   Curl_HMAC_final(ctxt, output);
+ 
+   return CURLE_OK;
+ }
+ 
+#ifndef SIZE_T_MAX
+/* some limits.h headers have this defined, some don't */
+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
+#define SIZE_T_MAX 18446744073709551615U
+#else
+#define SIZE_T_MAX 4294967295U
+#endif
+#endif
+
+ /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
+  * (uppercase UserName + Domain) as the data
+  */
+ CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
+                                        const char *domain, size_t domlen,
+                                        unsigned char *ntlmhash,
+                                        unsigned char *ntlmv2hash)
+ {
+   /* Unicode representation */
+-  size_t identity_len = (userlen + domlen) * 2;
+-  unsigned char *identity = malloc(identity_len);
+  size_t identity_len;
+  unsigned char *identity;
+   CURLcode result = CURLE_OK;
+ 
+  /* we do the length checks below separately to avoid integer overflow risk
+     on extreme data lengths */
+  if((userlen > SIZE_T_MAX/2) ||
+     (domlen > SIZE_T_MAX/2) ||
+     ((userlen + domlen) > SIZE_T_MAX/2))
+    return CURLE_OUT_OF_MEMORY;
+
+  identity_len = (userlen + domlen) * 2;
+  identity = malloc(identity_len);
+
+   if(!identity)
+     return CURLE_OUT_OF_MEMORY;
+ 
+   ascii_uppercase_to_unicode_le(identity, user, userlen);
+   ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
+-- 
+2.15.0

diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch new file mode 100644 index 0000000..9b957ce --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-8816.patch
@@ -0,0 +1,69 @@
	1	From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Mon, 6 Nov 2017 23:51:52 +0100
	4	Subject: [PATCH] ntlm: avoid integer overflow for malloc size
	5
	6	Reported-by: Alex Nichols
	7	Assisted-by: Kamil Dudka and Max Dymond
	8
	9	CVE: CVE-2017-8816
	10	Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch]
	11
	12	Bug: https://curl.haxx.se/docs/adv_2017-11e7.html
	13	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	14	---
	15	lib/curl_ntlm_core.c \| 23 +++++++++++++++++++++--
	16	1 file changed, 21 insertions(+), 2 deletions(-)
	17
	18	diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
	19	index 1309bf0d9..e8962769c 100644
	20	--- a/lib/curl_ntlm_core.c
	21	+++ b/lib/curl_ntlm_core.c
	22	@@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen,
	23	Curl_HMAC_final(ctxt, output);
	24
	25	return CURLE_OK;
	26	}
	27
	28	+#ifndef SIZE_T_MAX
	29	+/* some limits.h headers have this defined, some don't */
	30	+#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4)
	31	+#define SIZE_T_MAX 18446744073709551615U
	32	+#else
	33	+#define SIZE_T_MAX 4294967295U
	34	+#endif
	35	+#endif
	36	+
	37	/* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode
	38	* (uppercase UserName + Domain) as the data
	39	*/
	40	CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen,
	41	const char *domain, size_t domlen,
	42	unsigned char *ntlmhash,
	43	unsigned char *ntlmv2hash)
	44	{
	45	/* Unicode representation */
	46	- size_t identity_len = (userlen + domlen) * 2;
	47	- unsigned char *identity = malloc(identity_len);
	48	+ size_t identity_len;
	49	+ unsigned char *identity;
	50	CURLcode result = CURLE_OK;
	51
	52	+ /* we do the length checks below separately to avoid integer overflow risk
	53	+ on extreme data lengths */
	54	+ if((userlen > SIZE_T_MAX/2) \|\|
	55	+ (domlen > SIZE_T_MAX/2) \|\|
	56	+ ((userlen + domlen) > SIZE_T_MAX/2))
	57	+ return CURLE_OUT_OF_MEMORY;
	58	+
	59	+ identity_len = (userlen + domlen) * 2;
	60	+ identity = malloc(identity_len);
	61	+
	62	if(!identity)
	63	return CURLE_OUT_OF_MEMORY;
	64
	65	ascii_uppercase_to_unicode_le(identity, user, userlen);
	66	ascii_to_unicode_le(identity + (userlen << 1), domain, domlen);
	67	--
	68	2.15.0
	69