From dd659758deef67be170cd8916a3cfa788e79ad0d Mon Sep 17 00:00:00 2001
From: Sona Sarmadi <sona.sarmadi@enea.com>
Date: Tue, 3 Oct 2017 10:55:29 +0200
Subject: curl: CVE-2017-1000100

TFTP sends more than buffer size
Reference:
https://curl.haxx.se/docs/adv_20170809B.html

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
 recipes-support/curl/curl/CVE-2017-1000100.patch | 59 ++++++++++++++++++++++++
 recipes-support/curl/curl_%.bbappend             |  1 +
 2 files changed, 60 insertions(+)
 create mode 100644 recipes-support/curl/curl/CVE-2017-1000100.patch

diff --git a/recipes-support/curl/curl/CVE-2017-1000100.patch b/recipes-support/curl/curl/CVE-2017-1000100.patch
new file mode 100644
index 0000000..02ae6cc
--- /dev/null
+++ b/recipes-support/curl/curl/CVE-2017-1000100.patch
@@ -0,0 +1,59 @@
+From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 1 Aug 2017 17:16:46 +0200
+Subject: [PATCH] tftp: reject file name lengths that don't fit
+
+... and thereby avoid telling send() to send off more bytes than the
+size of the buffer!
+
+CVE-2017-1000100
+
+Bug: https://curl.haxx.se/docs/adv_20170809B.html
+Reported-by: Even Rouault
+
+Credit to OSS-Fuzz for the discovery
+
+CVE: CVE-2017-1000100
+Upstream-Status: Backport [https://curl.haxx.se/CVE-2017-1000100.patch]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ lib/tftp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/lib/tftp.c b/lib/tftp.c
+index 02bd84242..f6f4bce5b 100644
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -3,11 +3,11 @@
+  *  Project                     ___| | | |  _ \| |
+  *                             / __| | | | |_) | |
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+  * are also available at https://curl.haxx.se/docs/copyright.html.
+  *
+@@ -489,10 +489,15 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
+     result = Curl_urldecode(data, &state->conn->data->state.path[1], 0,
+                             &filename, NULL, FALSE);
+     if(result)
+       return result;
+ 
++    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
++      failf(data, "TFTP file name too long\n");
++      return CURLE_TFTP_ILLEGAL; /* too long file name field */
++    }
++
+     snprintf((char *)state->spacket.data+2,
+              state->blksize,
+              "%s%c%s%c", filename, '\0',  mode, '\0');
+     sbytes = 4 + strlen(filename) + strlen(mode);
+ 
+-- 
+2.13.3
+
diff --git a/recipes-support/curl/curl_%.bbappend b/recipes-support/curl/curl_%.bbappend
index 15e74ba..f915ba1 100644
--- a/recipes-support/curl/curl_%.bbappend
+++ b/recipes-support/curl/curl_%.bbappend
@@ -3,4 +3,5 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
 
 SRC_URI += "file://CVE-2017-7468.patch \
             file://CVE-2017-9502.patch \
+            file://CVE-2017-1000100.patch \
            "
-- 
cgit v1.2.3-54-g00ecf