Accueil Explorer Aide
S'inscrire Connexion
wareck
/
openwrt_lede
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Aborescence: 488fc98adf
Branches Tags
openwrt_lede
/
package
/
network
/
utils
/
curl
/
patches
/
113-CVE-2018-1000122.patch

113-CVE-2018-1000122.patch 1.1 KB
Historique Raw

123456789101112131415161718192021222324252627282930313233 
  1. From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Daniel Stenberg <daniel@haxx.se>
    3. 

  3. Date: Thu, 8 Mar 2018 10:33:16 +0100
    4. 

  4. Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
    5. 

  5. 

  6. CVE-2018-1000122
    7. 

  7. Bug: https://curl.haxx.se/docs/adv_2018-b047.html
    8. 

  8. 

  9. Detected by OSS-fuzz
    10. 

  10. ---
    11. 

  11.  lib/transfer.c | 9 +++++++--
    12. 

  12.  1 file changed, 7 insertions(+), 2 deletions(-)
    13. 

  13. 

  14. --- a/lib/transfer.c
    15. 

  15. +++ b/lib/transfer.c
    16. 

  16. @@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu
    17. 

  17.  
    18. 

  18.      } /* if(!header and data to read) */
    19. 

  19.  
    20. 

  20. -    if(conn->handler->readwrite &&
    21. 

  21. -       (excess > 0 && !conn->bits.stream_was_rewound)) {
    22. 

  22. +    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
    23. 

  23.        /* Parse the excess data */
    24. 

  24.        k->str += nread;
    25. 

  25. +
    26. 

  26. +      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
    27. 

  27. +        /* the excess amount was too excessive(!), make sure
    28. 

  28. +           it doesn't read out of buffer */
    29. 

  29. +        excess = &k->buf[data->set.buffer_size] - k->str;
    30. 

  30. +      }
    31. 

  31.        nread = (ssize_t)excess;
    32. 

  32.  
    33. 

  33.        result = conn->handler->readwrite(data, conn, &nread, &readmore);
    34.