aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/utils/curl/patches/114-CVE-2018-1000301.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/network/utils/curl/patches/114-CVE-2018-1000301.patch')
-rw-r--r--package/network/utils/curl/patches/114-CVE-2018-1000301.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/114-CVE-2018-1000301.patch b/package/network/utils/curl/patches/114-CVE-2018-1000301.patch
new file mode 100644
index 0000000000..993c985060
--- /dev/null
+++ b/package/network/utils/curl/patches/114-CVE-2018-1000301.patch
@@ -0,0 +1,39 @@
+From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Sat, 24 Mar 2018 23:47:41 +0100
+Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
+
+... leaving the k->str could lead to buffer over-reads later on.
+
+CVE: CVE-2018-1000301
+Assisted-by: Max Dymond
+
+Detected by OSS-Fuzz.
+Bug: https://curl.haxx.se/docs/adv_2018-b138.html
+Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
+---
+ lib/http.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/lib/http.c
++++ b/lib/http.c
+@@ -2924,6 +2924,8 @@ CURLcode Curl_http_readwrite_headers(str
+ {
+ CURLcode result;
+ struct SingleRequest *k = &data->req;
++ ssize_t onread = *nread;
++ char *ostr = k->str;
+
+ /* header line within buffer loop */
+ do {
+@@ -2988,7 +2990,9 @@ CURLcode Curl_http_readwrite_headers(str
+ else {
+ /* this was all we read so it's all a bad header */
+ k->badheader = HEADER_ALLBAD;
+- *nread = (ssize_t)rest_length;
++ *nread = onread;
++ k->str = ostr;
++ return CURLE_OK;
+ }
+ break;
+ }
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-01 22:10:22 +0000