diff options
Diffstat (limited to 'package/network/utils/curl/patches/109-CVE-2018-1000005.patch')
-rw-r--r-- | package/network/utils/curl/patches/109-CVE-2018-1000005.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/109-CVE-2018-1000005.patch b/package/network/utils/curl/patches/109-CVE-2018-1000005.patch new file mode 100644 index 0000000000..76d0ea771f --- /dev/null +++ b/package/network/utils/curl/patches/109-CVE-2018-1000005.patch @@ -0,0 +1,34 @@ +From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001 +From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com> +Date: Wed, 10 Jan 2018 10:12:18 -0800 +Subject: [PATCH] http2: fix incorrect trailer buffer size + +Prior to this change the stored byte count of each trailer was +miscalculated and 1 less than required. It appears any trailer +after the first that was passed to Curl_client_write would be truncated +or corrupted as well as the size. Potentially the size of some +subsequent trailer could be erroneously extracted from the contents of +that trailer, and since that size is used by client write an +out-of-bounds read could occur and cause a crash or be otherwise +processed by client write. + +The bug appears to have been born in 0761a51 (precedes 7.49.0). + +Closes https://github.com/curl/curl/pull/2231 +--- + lib/http2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/http2.c ++++ b/lib/http2.c +@@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se + + if(stream->bodystarted) { + /* This is trailer fields. */ +- /* 3 is for ":" and "\r\n". */ +- uint32_t n = (uint32_t)(namelen + valuelen + 3); ++ /* 4 is for ": " and "\r\n". */ ++ uint32_t n = (uint32_t)(namelen + valuelen + 4); + + DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen, + value)); |