[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 136/150: readwrite: make sure excess reads don't go
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnurl] 136/150: readwrite: make sure excess reads don't go beyond buffer end |
|
Date: |
Fri, 30 Mar 2018 16:49:50 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit d52dc4760f6d9ca1937eefa2093058a952465128
Author: Daniel Stenberg <address@hidden>
AuthorDate: Thu Mar 8 10:33:16 2018 +0100
readwrite: make sure excess reads don't go beyond buffer end
CVE-2018-1000122
Bug: https://curl.haxx.se/docs/adv_2018-b047.html
Detected by OSS-fuzz
---
lib/transfer.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/lib/transfer.c b/lib/transfer.c
index c46ac25f4..fd9af3155 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -808,10 +808,15 @@ static CURLcode readwrite_data(struct Curl_easy *data,
} /* if(!header and data to read) */
- if(conn->handler->readwrite &&
- (excess > 0 && !conn->bits.stream_was_rewound)) {
+ if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
/* Parse the excess data */
k->str += nread;
+
+ if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
+ /* the excess amount was too excessive(!), make sure
+ it doesn't read out of buffer */
+ excess = &k->buf[data->set.buffer_size] - k->str;
+ }
nread = (ssize_t)excess;
result = conn->handler->readwrite(data, conn, &nread, &readmore);
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 71/150: libcurl-security.3: separate file:// section, (continued)
- [GNUnet-SVN] [gnurl] 71/150: libcurl-security.3: separate file:// section, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 66/150: tests: new tests for http raw mode, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 111/150: curl-openssl.m4: Fix version check for OpenSSL 1.1.1, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 127/150: SECURITY: distros' max embargo time is 14 days now, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 110/150: lib655: silence compiler warning, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 105/150: curl_share_setopt.3: connection cache is shared within multi handles, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 121/150: krb5: use nondeprecated functions, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 74/150: TODO fixed: Detect when called from within callbacks, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 149/150: release: 7.59.0, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 108/150: projects/README: remove reference to dead IDN link/package, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 136/150: readwrite: make sure excess reads don't go beyond buffer end,
gnunet <=
- [GNUnet-SVN] [gnurl] 139/150: openldap: white space changes, fixed up the copyright years, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 112/150: docs/MANUAL: formfind.pl is not accessible on the site anymore, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 147/150: CURLOPT_COOKIEFILE.3: "-" as file name means stdin, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 141/150: http2: mark the connection for close on GOAWAY, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 33/150: Curl_range: add check to ensure "from <= to", gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 36/150: progress-bar.d: update to match implementation, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 41/150: parsedate: s/#if/#ifdef, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 53/150: curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 46/150: formdata: use the mime-content type function, gnunet, 2018/03/30
- [GNUnet-SVN] [gnurl] 32/150: Curl_range: commonize FTP and FILE range handling, gnunet, 2018/03/30