1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From 7935de14ce61f5a5c1c845925873379ae2e2f45a Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Mon, 22 Oct 2018 13:13:07 +0200
Subject: [PATCH] wget: check chunk length for overflowing off_t
function old new delta
retrieve_file_data 428 465 +37
wget_main 2386 2389 +3
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0) Total: 40 bytes
CVE: CVE-2018-1000517
Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e]
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
networking/wget.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/networking/wget.c b/networking/wget.c
index d4a9c0c..b525d6a 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -566,7 +566,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
if (ftpcmd("SIZE ", target->path, sfp) == 213) {
G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
if (G.content_len < 0 || errno) {
- bb_error_msg_and_die("SIZE value is garbage");
+ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
}
G.got_clen = 1;
}
@@ -821,12 +821,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
#endif
if (!G.chunked)
break;
-
- fgets_and_trim(dfp); /* Eat empty line */
+
+ /* Each chunk ends with "\r\n" - eat it */
+ fgets_and_trim(dfp);
get_clen:
+ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
fgets_and_trim(dfp);
+ errno = 0;
G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
- /* FIXME: error check? */
+ /*
+ * Had a bug with inputs like "ffffffff0001f400"
+ * smashing the heap later. Ensure >= 0.
+ */
+ if (G.content_len < 0 || errno)
+ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
if (G.content_len == 0)
break; /* all done! */
G.got_clen = 1;
|