diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2017-1000100.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2017-1000100.patch | 51 |
1 files changed, 0 insertions, 51 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2017-1000100.patch b/meta/recipes-support/curl/curl/CVE-2017-1000100.patch deleted file mode 100644 index f74f1dd896..0000000000 --- a/meta/recipes-support/curl/curl/CVE-2017-1000100.patch +++ /dev/null | |||
@@ -1,51 +0,0 @@ | |||
1 | From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Tue, 1 Aug 2017 17:16:46 +0200 | ||
4 | Subject: [PATCH] tftp: reject file name lengths that don't fit | ||
5 | |||
6 | ... and thereby avoid telling send() to send off more bytes than the | ||
7 | size of the buffer! | ||
8 | |||
9 | CVE: CVE-2017-1000100 | ||
10 | |||
11 | Bug: https://curl.haxx.se/docs/adv_20170809B.html | ||
12 | Reported-by: Even Rouault | ||
13 | |||
14 | Credit to OSS-Fuzz for the discovery | ||
15 | |||
16 | Upstream-Status: Backport | ||
17 | https://github.com/curl/curl/commit/358b2b131ad6c095696f20dcfa62b8305263f898 | ||
18 | |||
19 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
20 | --- | ||
21 | lib/tftp.c | 7 ++++++- | ||
22 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
23 | |||
24 | diff --git a/lib/tftp.c b/lib/tftp.c | ||
25 | index 02bd842..f6f4bce 100644 | ||
26 | --- a/lib/tftp.c | ||
27 | +++ b/lib/tftp.c | ||
28 | @@ -5,7 +5,7 @@ | ||
29 | * | (__| |_| | _ <| |___ | ||
30 | * \___|\___/|_| \_\_____| | ||
31 | * | ||
32 | - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
33 | + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. | ||
34 | * | ||
35 | * This software is licensed as described in the file COPYING, which | ||
36 | * you should have received as part of this distribution. The terms | ||
37 | @@ -491,6 +491,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event) | ||
38 | if(result) | ||
39 | return result; | ||
40 | |||
41 | + if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { | ||
42 | + failf(data, "TFTP file name too long\n"); | ||
43 | + return CURLE_TFTP_ILLEGAL; /* too long file name field */ | ||
44 | + } | ||
45 | + | ||
46 | snprintf((char *)state->spacket.data+2, | ||
47 | state->blksize, | ||
48 | "%s%c%s%c", filename, '\0', mode, '\0'); | ||
49 | -- | ||
50 | 1.7.9.5 | ||
51 | |||