cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NTLM buffer overflow

From: Dan Fandrich <dan_at_coneharvesters.com>
Date: Wed, 23 Feb 2005 21:21:32 -0800

On Wed, Feb 23, 2005 at 06:24:00PM -0500, Toby Peterson wrote:
> In krb4.c, where is ptr being allocated? Seems to me like it isn't....
> I'd submit a patch, but I'm not sure what buffer sizes to use, or how
> to handle errors.
>
> I know Daniel is on vacation - anyone here who could whip up a patch?

Daniel checked in a fix to CVS before he left. The new version of
Curl_base64_decode allocates the correct size of memory itself, and
returns a pointer that the caller must free.

However, I just noticed a serious problem in the new version.
If a base64 string suffixed with too many equals signs is passed in
to Curl_base64_decode, it will attempt to malloc a buffer that is too
small. libcurl will then proceed to stomp all over the heap with data
defined by the attacker. It's not clear if this is exploitable or not,
but it can definitely cause a denial of service. This potentially affects
NTLM, Negotiate and Kerberos authentication methods.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address service
          Let webmasters know that your web site has moved

  • application/pgp-signature attachment: stored
Received on 2005-02-24