diff options
author | Dan Andresan <Dan.Andresan@enea.com> | 2018-10-29 11:59:42 +0100 |
---|---|---|
committer | Gerrit Code Review <gerrit2@sestogerrit02> | 2018-10-29 11:59:42 +0100 |
commit | 4687669cd351da188c0c23ddecaaf925f6ac44b9 (patch) | |
tree | cbb92ee72ebccbd9aa08e02c2d249facb1848ed8 /recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch | |
parent | dc285391f74bfae14fe1967896c141705bbadd4a (diff) | |
parent | 5b1da299fd7359849d2c4ffda796bba999bf8f7e (diff) | |
download | meta-el-common-4687669cd351da188c0c23ddecaaf925f6ac44b9.tar.gz |
Merge "curl: Fix CVEs" into pyro
Diffstat (limited to 'recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch')
-rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch new file mode 100644 index 0000000..488d2fb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000122-readwrite-make-sure-excess-reads-don-t-go-beyond-buf.patch | |||
@@ -0,0 +1,43 @@ | |||
1 | From d52dc4760f6d9ca1937eefa2093058a952465128 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 8 Mar 2018 10:33:16 +0100 | ||
4 | Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end | ||
5 | |||
6 | CVE-2018-1000122 | ||
7 | Bug: https://curl.haxx.se/docs/adv_2018-b047.html | ||
8 | |||
9 | Detected by OSS-fuzz | ||
10 | |||
11 | CVE: CVE-2018-1000122 | ||
12 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000122.patch] | ||
13 | |||
14 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
15 | --- | ||
16 | lib/transfer.c | 9 +++++++-- | ||
17 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
18 | |||
19 | diff --git a/lib/transfer.c b/lib/transfer.c | ||
20 | index c46ac25..fd9af31 100644 | ||
21 | --- a/lib/transfer.c | ||
22 | +++ b/lib/transfer.c | ||
23 | @@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data, | ||
24 | |||
25 | } /* if(!header and data to read) */ | ||
26 | |||
27 | - if(conn->handler->readwrite && | ||
28 | - (excess > 0 && !conn->bits.stream_was_rewound)) { | ||
29 | + if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) { | ||
30 | /* Parse the excess data */ | ||
31 | k->str += nread; | ||
32 | + | ||
33 | + if(&k->str[excess] > &k->buf[data->set.buffer_size]) { | ||
34 | + /* the excess amount was too excessive(!), make sure | ||
35 | + it doesn't read out of buffer */ | ||
36 | + excess = &k->buf[data->set.buffer_size] - k->str; | ||
37 | + } | ||
38 | nread = (ssize_t)excess; | ||
39 | |||
40 | result = conn->handler->readwrite(data, conn, &nread, &readmore); | ||
41 | -- | ||
42 | 2.7.4 | ||
43 | |||