ntlm: avoid malloc(0) for zero length passwords #2054
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It triggers an assert() when built with memdebug since malloc(0) may return NULL *or* a valid pointer. Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 Assisted-by: Max Dymond
jay
reviewed
Nov 4, 2017
| @@ -557,7 +557,7 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data, | |||
| unsigned char *ntbuffer /* 21 bytes */) | |||
| { | |||
| size_t len = strlen(password); | |||
| unsigned char *pw = malloc(len * 2); | |||
| unsigned char *pw = len ? malloc(len * 2) : strdup(""); | |||
There was a problem hiding this comment.
I wonder if it would be better practice to just terminate the pw even though technically it doesn't need it
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 5154949..0a825d8 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -557,12 +557,12 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
unsigned char *ntbuffer /* 21 bytes */)
{
size_t len = strlen(password);
- unsigned char *pw = malloc(len * 2);
+ unsigned char *pw = malloc((len + 1) * 2);
CURLcode result;
if(!pw)
return CURLE_OUT_OF_MEMORY;
- ascii_to_unicode_le(pw, password, len);
+ ascii_to_unicode_le(pw, password, len + 1);
/*
* The NT hashed password needs to be created using the password in theThere was a problem hiding this comment.
Thanks! So you think so? I think that approach invites suspicions that the zero termination is needed there and cast doubts as to why all functions later on are passing in the length separately.
I actually prefer my approach. I tried making the zero-length path avoid the allocation completely but I think that just made the code worse.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It triggers an assert() when built with memdebug since malloc(0) may
return NULL or a valid pointer.
Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
Assisted-by: Max Dymond