[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 162/178: pingpong: fix response cache memcpy overfl
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnurl] 162/178: pingpong: fix response cache memcpy overflow |
|
Date: |
Wed, 23 May 2018 12:26:37 +0200 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 583b42cb3b809b1bf597af160468ccba728c2248
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Mar 23 23:30:04 2018 +0100
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
---
lib/pingpong.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/pingpong.c b/lib/pingpong.c
index 438856a99..ad370ee82 100644
--- a/lib/pingpong.c
+++ b/lib/pingpong.c
@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
* it would have been populated with something of size int to begin
* with, even though its datatype may be larger than an int.
*/
- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
+ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
+ failf(data, "cached response data too big to handle");
+ return CURLE_RECV_ERROR;
+ }
memcpy(ptr, pp->cache, pp->cache_size);
gotbytes = (ssize_t)pp->cache_size;
free(pp->cache); /* free the cache */
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 174/178: http2: remove unused variable, (continued)
- [GNUnet-SVN] [gnurl] 174/178: http2: remove unused variable, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 176/178: THANKS: added people from the curl 7.60.0 release, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 152/178: URLs: fix one more http url, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 138/178: vtls: don't define MD5_DIGEST_LENGTH for wolfssl, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 141/178: docs: remove extraneous commas in man pages, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 170/178: CODE_STYLE: mention return w/o parens, but sizeof with, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 168/178: tool: Fix format specifiers, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 175/178: docs/libcurl/index.html: removed, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 164/178: contributors.sh: use "on github", not at, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 163/178: http2: getsock fix for uploads, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 162/178: pingpong: fix response cache memcpy overflow,
gnunet <=
- [GNUnet-SVN] [gnurl] 172/178: gcc: disable picky gcc-8 function pointer warnings in two places, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 173/178: http2: use easy handle of stream for logging, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 135/178: CURLOPT_URL.3: add ENCODING section [ci skip], gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 165/178: lib: Fix format specifiers, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 169/178: examples: Fix format specifiers, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 158/178: setup_transfer: deal with both sockets being -1, gnunet, 2018/05/23
- [GNUnet-SVN] [gnurl] 178/178: Merge tag 'curl-7_60_0' (with fixes), gnunet, 2018/05/23