aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/curl/patches/016-CVE-2015-3237.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/utils/curl/patches/016-CVE-2015-3237.patch')
-rw-r--r--package/network/utils/curl/patches/016-CVE-2015-3237.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/016-CVE-2015-3237.patch b/package/network/utils/curl/patches/016-CVE-2015-3237.patch
new file mode 100644
index 0000000000..6942a04edb
--- /dev/null
+++ b/package/network/utils/curl/patches/016-CVE-2015-3237.patch
@@ -0,0 +1,35 @@
+From d2f1a8bdce9d77a277d05adae025d369c1bdd9e6 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Fri, 22 May 2015 10:28:21 +0200
+Subject: [PATCH] SMB: rangecheck values read off incoming packet
+
+CVE-2015-3237
+
+Detected by Coverity. CID 1299430.
+
+Bug: http://curl.haxx.se/docs/adv_20150617B.html
+---
+ lib/smb.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/lib/smb.c
++++ b/lib/smb.c
+@@ -783,9 +783,15 @@ static CURLcode smb_request_state(struct
+ off = Curl_read16_le(((unsigned char *) msg) +
+ sizeof(struct smb_header) + 13);
+ if(len > 0) {
+- result = Curl_client_write(conn, CLIENTWRITE_BODY,
+- (char *)msg + off + sizeof(unsigned int),
+- len);
++ struct smb_conn *smbc = &conn->proto.smbc;
++ if(off + sizeof(unsigned int) + len > smbc->got) {
++ failf(conn->data, "Invalid input packet");
++ result = CURLE_RECV_ERROR;
++ }
++ else
++ result = Curl_client_write(conn, CLIENTWRITE_BODY,
++ (char *)msg + off + sizeof(unsigned int),
++ len);
+ if(result) {
+ req->result = result;
+ next_state = SMB_CLOSE;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-09 01:45:24 +0000