mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-28 17:48:58 +00:00
34 lines
1015 B
Diff
34 lines
1015 B
Diff
|
From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||
|
Date: Tue, 1 Aug 2017 17:16:07 +0200
|
||
|
Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
|
||
|
range
|
||
|
|
||
|
Added test 1289 to verify.
|
||
|
|
||
|
CVE-2017-1000101
|
||
|
|
||
|
Bug: https://curl.haxx.se/docs/adv_20170809A.html
|
||
|
Reported-by: Brian Carpenter
|
||
|
---
|
||
|
src/tool_urlglob.c | 5 ++++-
|
||
|
tests/data/Makefile.inc | 2 +-
|
||
|
tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++
|
||
|
3 files changed, 40 insertions(+), 2 deletions(-)
|
||
|
create mode 100644 tests/data/test1289
|
||
|
|
||
|
--- a/src/tool_urlglob.c
|
||
|
+++ b/src/tool_urlglob.c
|
||
|
@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob
|
||
|
}
|
||
|
errno = 0;
|
||
|
max_n = strtoul(pattern, &endp, 10);
|
||
|
- if(errno || (*endp == ':')) {
|
||
|
+ if(errno)
|
||
|
+ /* overflow */
|
||
|
+ endp = NULL;
|
||
|
+ else if(*endp == ':') {
|
||
|
pattern = endp+1;
|
||
|
errno = 0;
|
||
|
step_n = strtoul(pattern, &endp, 10);
|