From 9bc43f3e65bc8e0bb3d0c5ea8ff906111197afb9 Mon Sep 17 00:00:00 2001
From: Hauke Mehrtens <hauke@hauke-m.de>
Date: Fri, 10 Aug 2018 21:39:06 +0200
Subject: curl: fix some security problems

This fixes the following security problems:
* CVE-2017-1000254: FTP PWD response parser out of bounds read
* CVE-2017-1000257: IMAP FETCH response out of bounds read
* CVE-2018-1000005: HTTP/2 trailer out-of-bounds read
* CVE-2018-1000007: HTTP authentication leak in redirects
* CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write
* CVE-2018-1000121: LDAP NULL pointer dereference
* CVE-2018-1000122: RTSP RTP buffer over-read
* CVE-2018-1000301: RTSP bad headers buffer over-read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
 .../utils/curl/patches/113-CVE-2018-1000122.patch  | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 package/network/utils/curl/patches/113-CVE-2018-1000122.patch

(limited to 'package/network/utils/curl/patches/113-CVE-2018-1000122.patch')

diff --git a/package/network/utils/curl/patches/113-CVE-2018-1000122.patch b/package/network/utils/curl/patches/113-CVE-2018-1000122.patch
new file mode 100644
index 0000000000..68a81aef8a
--- /dev/null
+++ b/package/network/utils/curl/patches/113-CVE-2018-1000122.patch
@@ -0,0 +1,33 @@
+From d70b74d6f893947aa22d3f14df10f92a8c349388 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Thu, 8 Mar 2018 10:33:16 +0100
+Subject: [PATCH] readwrite: make sure excess reads don't go beyond buffer end
+
+CVE-2018-1000122
+Bug: https://curl.haxx.se/docs/adv_2018-b047.html
+
+Detected by OSS-fuzz
+---
+ lib/transfer.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -791,10 +791,15 @@ static CURLcode readwrite_data(struct Cu
+ 
+     } /* if(!header and data to read) */
+ 
+-    if(conn->handler->readwrite &&
+-       (excess > 0 && !conn->bits.stream_was_rewound)) {
++    if(conn->handler->readwrite && excess && !conn->bits.stream_was_rewound) {
+       /* Parse the excess data */
+       k->str += nread;
++
++      if(&k->str[excess] > &k->buf[data->set.buffer_size]) {
++        /* the excess amount was too excessive(!), make sure
++           it doesn't read out of buffer */
++        excess = &k->buf[data->set.buffer_size] - k->str;
++      }
+       nread = (ssize_t)excess;
+ 
+       result = conn->handler->readwrite(data, conn, &nread, &readmore);
-- 
cgit v1.2.3