romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-30 19:47:30 +03:00
Code Issues Projects Releases Packages Wiki Activity

vauth/cleartext: fix theoretical integer overflow

Browse source 
Fix theoretical integer overflow in Curl_auth_create_plain_message.

The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.

Closes #5391
This commit is contained in:
Major_Tom 2020-05-13 21:41:27 +02:00 committed by Daniel Stenberg
parent f9983a6f9e
commit 8e762199b0
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 2 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
lib/vauth/cleartext.c
View file

@ -81,7 +81,8 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
plen = strlen(passwd);
/* Compute binary message length. Check for overflows. */
if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) ||
(plen > (SIZE_T_MAX/2 - 2)))
return CURLE_OUT_OF_MEMORY;
plainlen = zlen + clen + plen + 2;