From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 8 Sep 2018 21:03:53 +0000 (+0200)
Subject: ntlm_wb: bail out if the response gets overly large
X-Git-Tag: curl-7_62_0~206
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=37da149670ebf0535793e13be9f46166c8303978;p=thirdparty%2Fcurl.git

ntlm_wb: bail out if the response gets overly large

Exit the realloc() loop if the response turns out ridiculously large to
avoid worse problems.

Reported-by: Harry Sintonen
Closes #2959
---

diff --git a/lib/curl_ntlm_wb.c b/lib/curl_ntlm_wb.c
index 353a656458..baf579ef7b 100644
--- a/lib/curl_ntlm_wb.c
+++ b/lib/curl_ntlm_wb.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -249,6 +249,9 @@ done:
   return CURLE_REMOTE_ACCESS_DENIED;
 }
 
+/* if larger than this, something is seriously wrong */
+#define MAX_NTLM_WB_RESPONSE 100000
+
 static CURLcode ntlm_wb_response(struct connectdata *conn,
                                  const char *input, curlntlm state)
 {
@@ -289,6 +292,12 @@ static CURLcode ntlm_wb_response(struct connectdata *conn,
       buf[len_out - 1] = '\0';
       break;
     }
+
+    if(len_out > MAX_NTLM_WB_RESPONSE) {
+      failf(conn->data, "too large ntlm_wb response!");
+      return CURLE_OUT_OF_MEMORY;
+    }
+
     newbuf = Curl_saferealloc(buf, len_out + NTLM_BUFSIZE);
     if(!newbuf)
       return CURLE_OUT_OF_MEMORY;