diff options
Diffstat (limited to 'meta/recipes-support/curl/curl')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2019-5482.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2019-5482.patch b/meta/recipes-support/curl/curl/CVE-2019-5482.patch new file mode 100644 index 0000000000..30122d1ae9 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2019-5482.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Vegas <> | ||
3 | Date: Sat, 31 Aug 2019 17:30:51 +0200 | ||
4 | Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is | ||
5 | received | ||
6 | |||
7 | Fixes potential buffer overflow from 'recvfrom()', should the server | ||
8 | return an OACK without blksize. | ||
9 | |||
10 | Bug: https://curl.haxx.se/docs/CVE-2019-5482.html | ||
11 | CVE-2019-5482 | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | CVE: CVE-2019-5482 | ||
15 | |||
16 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
17 | |||
18 | --- | ||
19 | lib/tftp.c | 12 +++++++++--- | ||
20 | 1 file changed, 9 insertions(+), 3 deletions(-) | ||
21 | |||
22 | Index: curl-7.64.1/lib/tftp.c | ||
23 | =================================================================== | ||
24 | --- curl-7.64.1.orig/lib/tftp.c | ||
25 | +++ curl-7.64.1/lib/tftp.c | ||
26 | @@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct conn | ||
27 | { | ||
28 | tftp_state_data_t *state; | ||
29 | int blksize; | ||
30 | + int need_blksize; | ||
31 | |||
32 | blksize = TFTP_BLKSIZE_DEFAULT; | ||
33 | |||
34 | @@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct conn | ||
35 | return CURLE_TFTP_ILLEGAL; | ||
36 | } | ||
37 | |||
38 | + need_blksize = blksize; | ||
39 | + /* default size is the fallback when no OACK is received */ | ||
40 | + if(need_blksize < TFTP_BLKSIZE_DEFAULT) | ||
41 | + need_blksize = TFTP_BLKSIZE_DEFAULT; | ||
42 | + | ||
43 | if(!state->rpacket.data) { | ||
44 | - state->rpacket.data = calloc(1, blksize + 2 + 2); | ||
45 | + state->rpacket.data = calloc(1, need_blksize + 2 + 2); | ||
46 | |||
47 | if(!state->rpacket.data) | ||
48 | return CURLE_OUT_OF_MEMORY; | ||
49 | } | ||
50 | |||
51 | if(!state->spacket.data) { | ||
52 | - state->spacket.data = calloc(1, blksize + 2 + 2); | ||
53 | + state->spacket.data = calloc(1, need_blksize + 2 + 2); | ||
54 | |||
55 | if(!state->spacket.data) | ||
56 | return CURLE_OUT_OF_MEMORY; | ||
57 | @@ -1009,7 +1015,7 @@ static CURLcode tftp_connect(struct conn | ||
58 | state->sockfd = state->conn->sock[FIRSTSOCKET]; | ||
59 | state->state = TFTP_STATE_START; | ||
60 | state->error = TFTP_ERR_NONE; | ||
61 | - state->blksize = blksize; | ||
62 | + state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ | ||
63 | state->requested_blksize = blksize; | ||
64 | |||
65 | ((struct sockaddr *)&state->local_addr)->sa_family = | ||