forked from curl/curl-www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2018-1000300.patch
40 lines (36 loc) · 1.53 KB
/
CVE-2018-1000300.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
From 583b42cb3b809b1bf597af160468ccba728c2248 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Fri, 23 Mar 2018 23:30:04 +0100
Subject: [PATCH] pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.se/docs/adv_2018-82c2.html
---
lib/pingpong.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/pingpong.c b/lib/pingpong.c
index 438856a99..ad370ee82 100644
--- a/lib/pingpong.c
+++ b/lib/pingpong.c
@@ -302,11 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
*
* pp->cache_size is cast to ssize_t here. This should be safe, because
* it would have been populated with something of size int to begin
* with, even though its datatype may be larger than an int.
*/
- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
+ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
+ failf(data, "cached response data too big to handle");
+ return CURLE_RECV_ERROR;
+ }
memcpy(ptr, pp->cache, pp->cache_size);
gotbytes = (ssize_t)pp->cache_size;
free(pp->cache); /* free the cache */
pp->cache = NULL; /* clear the pointer */
pp->cache_size = 0; /* zero the size just in case */
--
2.17.0