1 files changed, 47 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-3822.patch b/meta/recipes-support/curl/curl/CVE-2019-3822.patch
new file mode 100644
index 0000000000..4f612ddd5e
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2019-3822.patch
@@ -0,0 +1,47 @@
+From 761b51f66c7b1cd2cd6c71b807bfdb6a27c49b30 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 3 Jan 2019 12:59:28 +0100
+Subject: [PATCH 2/3] ntlm: fix *_type3_message size check to avoid buffer
+ overflow
+Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
+Reported-by: Wenxiang Qian
+CVE-2019-3822
+Upstream-Status: Backport
+[https://github.com/curl/curl/commit
+/50c9484278c63b958655a717844f0721263939cc]
+CVE: CVE-2019-3822
+Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
+---
+ lib/vauth/ntlm.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
+index 0212756ab..3be0403d9 100644
+--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
+@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
+   });
+ 
+ #ifdef USE_NTRESPONSES
+-  if(size < (NTLM_BUFSIZE - ntresplen)) {
+-    DEBUGASSERT(size == (size_t)ntrespoff);
+-    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+-    size += ntresplen;
+  /* ntresplen + size should not be risking an integer overflow here */
+  if(ntresplen + size > sizeof(ntlmbuf)) {
+    failf(data, "incoming NTLM message too big");
+    return CURLE_OUT_OF_MEMORY;
+   }
+  DEBUGASSERT(size == (size_t)ntrespoff);
+  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+  size += ntresplen;
+ 
+   DEBUG_OUT({
+     fprintf(stderr, "\n   ntresp=");
+-- 
+2.22.0

diff --git a/meta/recipes-support/curl/curl/CVE-2019-3822.patch b/meta/recipes-support/curl/curl/CVE-2019-3822.patch new file mode 100644 index 0000000000..4f612ddd5e --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-3822.patch
@@ -0,0 +1,47 @@
	1	From 761b51f66c7b1cd2cd6c71b807bfdb6a27c49b30 Mon Sep 17 00:00:00 2001
	2	From: Daniel Stenberg <daniel@haxx.se>
	3	Date: Thu, 3 Jan 2019 12:59:28 +0100
	4	Subject: [PATCH 2/3] ntlm: fix *_type3_message size check to avoid buffer
	5	overflow
	6
	7	Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
	8	Reported-by: Wenxiang Qian
	9	CVE-2019-3822
	10
	11	Upstream-Status: Backport
	12	[https://github.com/curl/curl/commit
	13	/50c9484278c63b958655a717844f0721263939cc]
	14
	15	CVE: CVE-2019-3822
	16
	17	Signed-off-by: Kevin Weng <t-keweng@microsoft.com>
	18	---
	19	lib/vauth/ntlm.c \| 11 +++++++----
	20	1 file changed, 7 insertions(+), 4 deletions(-)
	21
	22	diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
	23	index 0212756ab..3be0403d9 100644
	24	--- a/lib/vauth/ntlm.c
	25	+++ b/lib/vauth/ntlm.c
	26	@@ -777,11 +777,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
	27	});
	28
	29	#ifdef USE_NTRESPONSES
	30	- if(size < (NTLM_BUFSIZE - ntresplen)) {
	31	- DEBUGASSERT(size == (size_t)ntrespoff);
	32	- memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
	33	- size += ntresplen;
	34	+ /* ntresplen + size should not be risking an integer overflow here */
	35	+ if(ntresplen + size > sizeof(ntlmbuf)) {
	36	+ failf(data, "incoming NTLM message too big");
	37	+ return CURLE_OUT_OF_MEMORY;
	38	}
	39	+ DEBUGASSERT(size == (size_t)ntrespoff);
	40	+ memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
	41	+ size += ntresplen;
	42
	43	DEBUG_OUT({
	44	fprintf(stderr, "\n ntresp=");
	45	--
	46	2.22.0
	47