ntlm_wb: bail out if the response gets overly large

author Daniel Stenberg <daniel@haxx.se>

Sat, 8 Sep 2018 21:03:53 +0000 (23:03 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Sun, 9 Sep 2018 08:44:02 +0000 (10:44 +0200)
author Daniel Stenberg <daniel@haxx.se>
Sat, 8 Sep 2018 21:03:53 +0000 (23:03 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Sun, 9 Sep 2018 08:44:02 +0000 (10:44 +0200)
diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c

index 353a6564581ef459dfe74055e63ef5705e44dff2..baf579ef7b7bbb5dbe2729d4cf382e3f0e53ec4b 100644 (file)
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -5,7 +5,7 @@
   *                            | (__| |_| |  _ <| |___
   *                             \___|\___/|_| \_\_____|
   *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
   *
   * This software is licensed as described in the file COPYING, which
   * you should have received as part of this distribution. The terms
@@ -249,6 +249,9 @@ done:
    return CURLE_REMOTE_ACCESS_DENIED;
  }
  
+/* if larger than this, something is seriously wrong */
+#define MAX_NTLM_WB_RESPONSE 100000
+
  static CURLcode ntlm_wb_response(struct connectdata *conn,
                                   const char *input, curlntlm state)
  {
@@ -289,6 +292,12 @@ static CURLcode ntlm_wb_response(struct connectdata *conn,
        buf[len_out - 1] = '\0';
        break;
      }
+
+    if(len_out > MAX_NTLM_WB_RESPONSE) {
+      failf(conn->data, "too large ntlm_wb response!");
+      return CURLE_OUT_OF_MEMORY;
+    }
+
      newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE);
      if(!newbuf)
        return CURLE_OUT_OF_MEMORY;
author	Daniel Stenberg <daniel@haxx.se>
	Sat, 8 Sep 2018 21:03:53 +0000 (23:03 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Sun, 9 Sep 2018 08:44:02 +0000 (10:44 +0200)