From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001 From: Andreas Wellving Date: Mon, 22 Oct 2018 13:13:07 +0200 Subject: [PATCH] wget: check chunk length for overflowing off_t function old new delta retrieve_file_data 428 465 +37 wget_main 2386 2389 +3 ------------------------------------------------------------------------------ (add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes CVE: CVE-2018-1000517 Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e] Signed-off-by: Denys Vlasenko Signed-off-by: Andreas Wellving --- networking/wget.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/networking/wget.c b/networking/wget.c index d4a9c0c..b525d6a 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_ if (ftpcmd("SIZE ", target->path, sfp) == 213) { G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10); if (G.content_len < 0 || errno) { - bb_error_msg_and_die("SIZE value is garbage"); + bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4); } G.got_clen = 1; } @@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp) #endif if (!G.chunked) break; - - fgets_and_trim(dfp); /* Eat empty line */ + + /* Each chunk ends with "\r\n" - eat it */ + fgets_and_trim(dfp); get_clen: + /* chunk size format is "HEXNUM[;name[=val]]\r\n" */ fgets_and_trim(dfp); + errno = 0; G.content_len = STRTOOFF(G.wget_buf, NULL, 16); - /* FIXME: error check? */ + /* + * Had a bug with inputs like "ffffffff0001f400" + * smashing the heap later. Ensure >= 0. + */ + if (G.content_len < 0 || errno) + bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf); if (G.content_len == 0) break; /* all done! */ G.got_clen = 1;