mirror of
https://github.com/openwrt/openwrt.git
synced 2025-02-02 17:20:59 +00:00
9bc43f3e65
This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Thu, 8 Mar 2018 10:33:16 +0100
|
|
Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
|
|
|
|
CVE-2018-1000122
|
|
Bug: https://curl.haxx.se/docs/adv_2018-b047.html
|
|
|
|
Detected by OSS-fuzz
|
|
---
|
|
lib/transfer.c | 9 +++++++--
|
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
|
--- a/lib/transfer.c
|
|
+++ b/lib/transfer.c
|
|
@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu
|
|
|
|
} /* if(!header and data to read) */
|
|
|
|
- if(conn->handler->readwrite &&
|
|
- (excess > 0 && !conn->bits.stream_was_rewound)) {
|
|
+ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
|
|
/* Parse the excess data */
|
|
k->str += nread;
|
|
+
|
|
+ if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
|
|
+ /* the excess amount was too excessive(!), make sure
|
|
+ it doesn't read out of buffer */
|
|
+ excess = &k->buf[data->set.buffer_size] - k->str;
|
|
+ }
|
|
nread = (ssize_t)excess;
|
|
|
|
result = conn->handler->readwrite(data, conn, &nread, &readmore);
|