diff options
| author | Patrick Monnerat <patrick@monnerat.net> | 2016-11-24 14:28:39 +0100 |
|---|---|---|
| committer | Patrick Monnerat <patrick@monnerat.net> | 2016-11-24 14:28:39 +0100 |
| commit | 945f60e8a7f08aedb0eede5e3574f1972fc86ec8 (patch) | |
| tree | 6a3479b7bdaf88a17f4f915846c1fddaff73873a /lib/vauth | |
| parent | 3e9c0230f45cafb9154bb4fcdc8ff2b51f00701a (diff) | |
| download | gnurl-945f60e8a7f08aedb0eede5e3574f1972fc86ec8.tar.gz gnurl-945f60e8a7f08aedb0eede5e3574f1972fc86ec8.tar.bz2 gnurl-945f60e8a7f08aedb0eede5e3574f1972fc86ec8.zip | |
Limit ASN.1 structure sizes to 256K. Prevent some allocation size overflows.
See CRL-01-006.
Diffstat (limited to 'lib/vauth')
| -rw-r--r-- | lib/vauth/cleartext.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c index 6df419a64..a761ae784 100644 --- a/lib/vauth/cleartext.c +++ b/lib/vauth/cleartext.c @@ -66,16 +66,27 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, char *plainauth; size_t ulen; size_t plen; + size_t plainlen; + *outlen = 0; + *outptr = NULL; ulen = strlen(userp); plen = strlen(passwdp); - plainauth = malloc(2 * ulen + plen + 2); - if(!plainauth) { - *outlen = 0; - *outptr = NULL; + /* Compute binary message length, checking for overflows. */ + plainlen = 2 * ulen; + if(plainlen < ulen) + return CURLE_OUT_OF_MEMORY; + plainlen += plen; + if(plainlen < plen) + return CURLE_OUT_OF_MEMORY; + plainlen += 2; + if(plainlen < 2) + return CURLE_OUT_OF_MEMORY; + + plainauth = malloc(plainlen); + if(!plainauth) return CURLE_OUT_OF_MEMORY; - } /* Calculate the reply */ memcpy(plainauth, userp, ulen); @@ -85,8 +96,7 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data, memcpy(plainauth + 2 * ulen + 2, passwdp, plen); /* Base64 encode the reply */ - result = Curl_base64_encode(data, plainauth, 2 * ulen + plen + 2, outptr, - outlen); + result = Curl_base64_encode(data, plainauth, plainlen, outptr, outlen); free(plainauth); return result; |