diff options
-rw-r--r-- | recipes-support/curl/curl/CVE-2017-8816.patch | 69 | ||||
-rw-r--r-- | recipes-support/curl/curl_%.bbappend | 1 |
2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2017-8816.patch b/recipes-support/curl/curl/CVE-2017-8816.patch new file mode 100644 index 0000000..9b957ce --- /dev/null +++ b/recipes-support/curl/curl/CVE-2017-8816.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 7947c50bcd09cf471c95511739bc66d2cb506ee2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Mon, 6 Nov 2017 23:51:52 +0100 | ||
4 | Subject: [PATCH] ntlm: avoid integer overflow for malloc size | ||
5 | |||
6 | Reported-by: Alex Nichols | ||
7 | Assisted-by: Kamil Dudka and Max Dymond | ||
8 | |||
9 | CVE: CVE-2017-8816 | ||
10 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-8816.patch] | ||
11 | |||
12 | Bug: https://curl.haxx.se/docs/adv_2017-11e7.html | ||
13 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
14 | --- | ||
15 | lib/curl_ntlm_core.c | 23 +++++++++++++++++++++-- | ||
16 | 1 file changed, 21 insertions(+), 2 deletions(-) | ||
17 | |||
18 | diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c | ||
19 | index 1309bf0d9..e8962769c 100644 | ||
20 | --- a/lib/curl_ntlm_core.c | ||
21 | +++ b/lib/curl_ntlm_core.c | ||
22 | @@ -644,23 +644,42 @@ CURLcode Curl_hmac_md5(const unsigned char *key, unsigned int keylen, | ||
23 | Curl_HMAC_final(ctxt, output); | ||
24 | |||
25 | return CURLE_OK; | ||
26 | } | ||
27 | |||
28 | +#ifndef SIZE_T_MAX | ||
29 | +/* some limits.h headers have this defined, some don't */ | ||
30 | +#if defined(SIZEOF_SIZE_T) && (SIZEOF_SIZE_T > 4) | ||
31 | +#define SIZE_T_MAX 18446744073709551615U | ||
32 | +#else | ||
33 | +#define SIZE_T_MAX 4294967295U | ||
34 | +#endif | ||
35 | +#endif | ||
36 | + | ||
37 | /* This creates the NTLMv2 hash by using NTLM hash as the key and Unicode | ||
38 | * (uppercase UserName + Domain) as the data | ||
39 | */ | ||
40 | CURLcode Curl_ntlm_core_mk_ntlmv2_hash(const char *user, size_t userlen, | ||
41 | const char *domain, size_t domlen, | ||
42 | unsigned char *ntlmhash, | ||
43 | unsigned char *ntlmv2hash) | ||
44 | { | ||
45 | /* Unicode representation */ | ||
46 | - size_t identity_len = (userlen + domlen) * 2; | ||
47 | - unsigned char *identity = malloc(identity_len); | ||
48 | + size_t identity_len; | ||
49 | + unsigned char *identity; | ||
50 | CURLcode result = CURLE_OK; | ||
51 | |||
52 | + /* we do the length checks below separately to avoid integer overflow risk | ||
53 | + on extreme data lengths */ | ||
54 | + if((userlen > SIZE_T_MAX/2) || | ||
55 | + (domlen > SIZE_T_MAX/2) || | ||
56 | + ((userlen + domlen) > SIZE_T_MAX/2)) | ||
57 | + return CURLE_OUT_OF_MEMORY; | ||
58 | + | ||
59 | + identity_len = (userlen + domlen) * 2; | ||
60 | + identity = malloc(identity_len); | ||
61 | + | ||
62 | if(!identity) | ||
63 | return CURLE_OUT_OF_MEMORY; | ||
64 | |||
65 | ascii_uppercase_to_unicode_le(identity, user, userlen); | ||
66 | ascii_to_unicode_le(identity + (userlen << 1), domain, domlen); | ||
67 | -- | ||
68 | 2.15.0 | ||
69 | |||
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend index bc75100..18231f4 100644 --- a/recipes-support/curl/curl_%.bbappend +++ b/recipes-support/curl/curl_%.bbappend | |||
@@ -6,4 +6,5 @@ SRC_URI += "file://CVE-2017-7407.patch \ | |||
6 | file://CVE-2017-9502.patch \ | 6 | file://CVE-2017-9502.patch \ |
7 | file://CVE-2017-1000254.patch \ | 7 | file://CVE-2017-1000254.patch \ |
8 | file://CVE-2017-1000257.patch \ | 8 | file://CVE-2017-1000257.patch \ |
9 | file://CVE-2017-8816.patch \ | ||
9 | " | 10 | " |