mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-28 09:39:00 +00:00
f483a35f08
This fixes the following security problems: * CVE-2017-1000100 TFTP sends more than buffer size * CVE-2017-1000101 URL globbing out of bounds read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
34 lines
1015 B
Diff
34 lines
1015 B
Diff
From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Tue, 1 Aug 2017 17:16:07 +0200
|
|
Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
|
|
range
|
|
|
|
Added test 1289 to verify.
|
|
|
|
CVE-2017-1000101
|
|
|
|
Bug: https://curl.haxx.se/docs/adv_20170809A.html
|
|
Reported-by: Brian Carpenter
|
|
---
|
|
src/tool_urlglob.c | 5 ++++-
|
|
tests/data/Makefile.inc | 2 +-
|
|
tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++
|
|
3 files changed, 40 insertions(+), 2 deletions(-)
|
|
create mode 100644 tests/data/test1289
|
|
|
|
--- a/src/tool_urlglob.c
|
|
+++ b/src/tool_urlglob.c
|
|
@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob
|
|
}
|
|
errno = 0;
|
|
max_n = strtoul(pattern, &endp, 10);
|
|
- if(errno || (*endp == ':')) {
|
|
+ if(errno)
|
|
+ /* overflow */
|
|
+ endp = NULL;
|
|
+ else if(*endp == ':') {
|
|
pattern = endp+1;
|
|
errno = 0;
|
|
step_n = strtoul(pattern, &endp, 10);
|