blob: ca6d7448a103a853a389c0a4c9427b9564403c56 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 16 Apr 2015 23:52:04 +0200
Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Upstream-Status: Backport
If a URL is given with a zero-length host name, like in "http://:80" or
just ":80", `fix_hostname()` will index the host name pointer with a -1
offset (as it blindly assumes a non-zero length) and both read and
assign that address.
CVE-2015-3144
Bug: http://curl.haxx.se/docs/adv_20150422D.html
Reported-by: Hanno Böck
Signed-off-by: Daniel Stenberg <daniel@haxx.se>
Signed-off-by: Maxin B. John <maxin.john@enea.com>
---
lib/url.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/url.c b/lib/url.c
index ee3d176..f033dbc 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3625,11 +3625,11 @@ static void fix_hostname(struct SessionHandle *data,
/* set the name we use to display the host name */
host->dispname = host->name;
len = strlen(host->name);
- if(host->name[len-1] == '.')
+ if(len && (host->name[len-1] == '.'))
/* strip off a single trailing dot if present, primarily for SNI but
there's no use for it */
host->name[len-1]=0;
if(!is_ASCII_name(host->name)) {
--
2.1.4
|
