ntlm: fix *_type3_message size check to avoid buffer overflow

Bug: https://curl.haxx.se/docs/CVE-2019-3822.html
Reported-by: Wenxiang Qian
CVE-2019-3822

Backported patch details:-

Link: https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc.patch
Change-Id: I40a37af26b81a4cefe4a26f19697e7a73b17eaf6
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>

diff --git a/lib/vauth/ntlm.c b/lib/vauth/ntlm.c
index 11f42f5..82b59f6 100644 (file)
--- a/lib/vauth/ntlm.c
+++ b/lib/vauth/ntlm.c
@@ -776,11 +776,14 @@ CURLcode Curl_auth_create_ntlm_type3_message(struct Curl_easy *data,
   });
 
 #ifdef USE_NTRESPONSES
-  if(size < (NTLM_BUFSIZE - ntresplen)) {
-    DEBUGASSERT(size == (size_t)ntrespoff);
-    memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
-    size += ntresplen;
+  /* ntresplen + size should not be risking an integer overflow here */
+  if(ntresplen + size > sizeof(ntlmbuf)) {
+    failf(data, "incoming NTLM message too big");
+    return CURLE_OUT_OF_MEMORY;
   }
+  DEBUGASSERT(size == (size_t)ntrespoff);
+  memcpy(&ntlmbuf[size], ptr_ntresp, ntresplen);
+  size += ntresplen;
 
   DEBUG_OUT({
     fprintf(stderr, "\n   ntresp=");

diff --git a/packaging/curl.spec b/packaging/curl.spec
index 591503e..42a93ba 100644 (file)
--- a/packaging/curl.spec
+++ b/packaging/curl.spec
@@ -1,7 +1,7 @@
 Name:       curl
 Summary:    A utility for getting files from remote servers (FTP, HTTP, and others)
 Version:    7.62.0
-Release:    2
+Release:    3
 Group:      Applications/Internet
 License:    MIT
 URL:        http://curl.haxx.se/