012-CVE-2015-3145.patch 1.7 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253
  1. From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001
  2. From: Daniel Stenberg <daniel@haxx.se>
  3. Date: Thu, 16 Apr 2015 16:37:40 +0200
  4. Subject: [PATCH] cookie: cookie parser out of boundary memory access
  5. MIME-Version: 1.0
  6. Content-Type: text/plain; charset=UTF-8
  7. Content-Transfer-Encoding: 8bit
  8. The internal libcurl function called sanitize_cookie_path() that cleans
  9. up the path element as given to it from a remote site or when read from
  10. a file, did not properly validate the input. If given a path that
  11. consisted of a single double-quote, libcurl would index a newly
  12. allocated memory area with index -1 and assign a zero to it, thus
  13. destroying heap memory it wasn't supposed to.
  14. CVE-2015-3145
  15. Bug: http://curl.haxx.se/docs/adv_20150422C.html
  16. Reported-by: Hanno Böck
  17. ---
  18. lib/cookie.c | 12 +++++++-----
  19. 1 file changed, 7 insertions(+), 5 deletions(-)
  20. --- a/lib/cookie.c
  21. +++ b/lib/cookie.c
  22. @@ -236,11 +236,14 @@ static char *sanitize_cookie_path(const
  23. return NULL;
  24. /* some stupid site sends path attribute with '"'. */
  25. + len = strlen(new_path);
  26. if(new_path[0] == '\"') {
  27. - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
  28. + memmove((void *)new_path, (const void *)(new_path + 1), len);
  29. + len--;
  30. }
  31. - if(new_path[strlen(new_path) - 1] == '\"') {
  32. - new_path[strlen(new_path) - 1] = 0x0;
  33. + if(len && (new_path[len - 1] == '\"')) {
  34. + new_path[len - 1] = 0x0;
  35. + len--;
  36. }
  37. /* RFC6265 5.2.4 The Path Attribute */
  38. @@ -252,8 +255,7 @@ static char *sanitize_cookie_path(const
  39. }
  40. /* convert /hoge/ to /hoge */
  41. - len = strlen(new_path);
  42. - if(1 < len && new_path[len - 1] == '/') {
  43. + if(len && new_path[len - 1] == '/') {
  44. new_path[len - 1] = 0x0;
  45. }