ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-23 12:58:23 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity
9bc43f3e65
openwrt/package/network/utils/curl/patches/105-CVE-2017-1000254.patch
Hauke Mehrtens 9bc43f3e65 curl: fix some security problems 
This fixes the following security problems:
* CVE-2017-1000254: FTP PWD response parser out of bounds read
* CVE-2017-1000257: IMAP FETCH response out of bounds read
* CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
* CVE-2018-1000007: HTTP authentication leak in redirects
* CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
* CVE-2018-1000121: LDAP NULL pointer dereference
* CVE-2018-1000122: RTSP RTP buffer over-read
* CVE-2018-1000301: RTSP bad headers buffer over-read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-08-10 22:56:31 +02:00

50 lines
1.7 KiB
Diff
Raw Blame History

From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Sep 2017 00:35:22 +0200
Subject: [PATCH] FTP: zero terminate the entry path even on bad input
... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254
Test 1152 added to verify.
Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
---
lib/ftp.c | 7 ++++--
tests/data/Makefile.inc | 1 +
tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+), 2 deletions(-)
create mode 100644 tests/data/test1152
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct
char *ptr=&data->state.buffer[4]; /* start on the first letter */
char *dir;
char *store;
+ bool entry_extracted = FALSE;
dir = malloc(nread + 1);
if(!dir)
@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct
}
else {
/* end of path */
- *store = '\0'; /* zero terminate */
+ entry_extracted = TRUE;
break; /* get out of this loop */
}
}
@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct
store++;
ptr++;
}
-
+ *store = '\0'; /* zero terminate */
+ }
+ if(entry_extracted) {
/* If the path name does not look like an absolute path (i.e.: it
does not start with a '/'), we probably need some server-dependent
adjustments. For example, this is the case when connecting to
Reference in New Issue View Git Blame Copy Permalink