From a21a706f3281c58f94574f2b4877c24c853cb418 Mon Sep 17 00:00:00 2001
From: naddy <naddy@openbsd.org>
Date: Mon, 14 Mar 2005 22:52:20 +0000
Subject: [PATCH] SECURITY: Fix NT LAN Manager (NTLM) authentication handling.
 By sending a specially crafted long NTLM reply packet, a remote attacker
 could overflow the reply buffer.  This could lead to execution of arbitrary
 attacker specified code with the privileges of the application using the cURL
 library.  CAN-2005-0490.  From Ubuntu.

ok brad@, pval@
---
 net/curl/Makefile                      |  3 ++-
 net/curl/patches/patch-lib_http_ntlm_c | 25 +++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 net/curl/patches/patch-lib_http_ntlm_c

diff --git a/net/curl/Makefile b/net/curl/Makefile
index 4a7873f7b3b..c2aa5d60c19 100644
--- a/net/curl/Makefile
+++ b/net/curl/Makefile
@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.45 2004/12/16 00:31:21 alek Exp $
+# $OpenBSD: Makefile,v 1.46 2005/03/14 22:52:20 naddy Exp $
 
 COMMENT=	"get files from FTP, Gopher, HTTP or HTTPS servers"
 
 DISTNAME=	curl-7.11.2
+PKGNAME=	${DISTNAME}p0
 CATEGORIES=	net
 MASTER_SITES=	http://curl.haxx.se/download/ \
 		ftp://ftp.sunet.se/pub/www/utilities/curl/ \
diff --git a/net/curl/patches/patch-lib_http_ntlm_c b/net/curl/patches/patch-lib_http_ntlm_c
new file mode 100644
index 00000000000..f6b06c545a2
--- /dev/null
+++ b/net/curl/patches/patch-lib_http_ntlm_c
@@ -0,0 +1,25 @@
+$OpenBSD: patch-lib_http_ntlm_c,v 1.1 2005/03/14 22:52:20 naddy Exp $
+--- lib/http_ntlm.c.orig	Mon Mar 14 21:15:15 2005
++++ lib/http_ntlm.c	Mon Mar 14 21:16:43 2005
+@@ -105,7 +105,6 @@ CURLntlm Curl_input_ntlm(struct connectd
+     header++;
+ 
+   if(checkprefix("NTLM", header)) {
+-    unsigned char buffer[256];
+     header += strlen("NTLM");
+ 
+     while(*header && isspace((int)*header))
+@@ -126,7 +125,12 @@ CURLntlm Curl_input_ntlm(struct connectd
+          32 (48) start of data block
+       */
+ 
+-      size_t size = Curl_base64_decode(header, (char *)buffer);
++      size_t size;
++      unsigned char *buffer = (unsigned char *)malloc(strlen(header));
++      if (buffer == NULL)
++        return CURLNTLM_BAD;
++
++      size = Curl_base64_decode(header, (char *)buffer);
+ 
+       ntlm->state = NTLMSTATE_TYPE2; /* we got a type-2 */
+