diff options
Diffstat (limited to 'recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch')
-rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch new file mode 100644 index 0000000..cf5a596 --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000301-http-restore-buffer-pointer-when-bad-response-line-i.patch | |||
@@ -0,0 +1,48 @@ | |||
1 | From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Sat, 24 Mar 2018 23:47:41 +0100 | ||
4 | Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed | ||
5 | |||
6 | ... leaving the k->str could lead to buffer over-reads later on. | ||
7 | |||
8 | Assisted-by: Max Dymond | ||
9 | |||
10 | Detected by OSS-Fuzz. | ||
11 | Bug: https://curl.haxx.se/docs/adv_2018-b138.html | ||
12 | Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105 | ||
13 | |||
14 | CVE: CVE-2018-1000301 | ||
15 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000301.patch] | ||
16 | |||
17 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
18 | --- | ||
19 | lib/http.c | 6 +++++- | ||
20 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/lib/http.c b/lib/http.c | ||
23 | index 1a313b4..e080ae5 100644 | ||
24 | --- a/lib/http.c | ||
25 | +++ b/lib/http.c | ||
26 | @@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, | ||
27 | { | ||
28 | CURLcode result; | ||
29 | struct SingleRequest *k = &data->req; | ||
30 | + ssize_t onread = *nread; | ||
31 | + char *ostr = k->str; | ||
32 | |||
33 | /* header line within buffer loop */ | ||
34 | do { | ||
35 | @@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, | ||
36 | else { | ||
37 | /* this was all we read so it's all a bad header */ | ||
38 | k->badheader = HEADER_ALLBAD; | ||
39 | - *nread = (ssize_t)rest_length; | ||
40 | + *nread = onread; | ||
41 | + k->str = ostr; | ||
42 | + return CURLE_OK; | ||
43 | } | ||
44 | break; | ||
45 | } | ||
46 | -- | ||
47 | 2.7.4 | ||
48 | |||