011-CVE-2015-3144.patch 1.0 KB

1234567891011121314151617181920212223242526272829303132
  1. From 6218ded6001ea330e589f92b6b2fa12777752b5d Mon Sep 17 00:00:00 2001
  2. From: Daniel Stenberg <daniel@haxx.se>
  3. Date: Thu, 16 Apr 2015 23:52:04 +0200
  4. Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset
  5. MIME-Version: 1.0
  6. Content-Type: text/plain; charset=UTF-8
  7. Content-Transfer-Encoding: 8bit
  8. If a URL is given with a zero-length host name, like in "http://:80" or
  9. just ":80", `fix_hostname()` will index the host name pointer with a -1
  10. offset (as it blindly assumes a non-zero length) and both read and
  11. assign that address.
  12. CVE-2015-3144
  13. Bug: http://curl.haxx.se/docs/adv_20150422D.html
  14. Reported-by: Hanno Böck
  15. ---
  16. lib/url.c | 2 +-
  17. 1 file changed, 1 insertion(+), 1 deletion(-)
  18. --- a/lib/url.c
  19. +++ b/lib/url.c
  20. @@ -3606,7 +3606,7 @@ static void fix_hostname(struct SessionH
  21. host->dispname = host->name;
  22. len = strlen(host->name);
  23. - if(host->name[len-1] == '.')
  24. + if(len && (host->name[len-1] == '.'))
  25. /* strip off a single trailing dot if present, primarily for SNI but
  26. there's no use for it */
  27. host->name[len-1]=0;