Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
curl.3009
curl-CVE-2015-3145.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2015-3145.patch of Package curl.3009
From ea595c516bc936a514753597aa6c59fd6eb0765e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Thu, 16 Apr 2015 16:37:40 +0200 Subject: [PATCH] cookie: cookie parser out of boundary memory access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck --- lib/cookie.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/cookie.c b/lib/cookie.c index 0864f6b..0127926 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -223,15 +223,18 @@ static char *sanitize_cookie_path(const char *cookie_path) char *new_path = strdup(cookie_path); if(!new_path) return NULL; /* some stupid site sends path attribute with '"'. */ + len = strlen(new_path); if(new_path[0] == '\"') { - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); + memmove((void *)new_path, (const void *)(new_path + 1), len); + len--; } - if(new_path[strlen(new_path) - 1] == '\"') { - new_path[strlen(new_path) - 1] = 0x0; + if(len && (new_path[len - 1] == '\"')) { + new_path[len - 1] = 0x0; + len--; } /* RFC6265 5.2.4 The Path Attribute */ if(new_path[0] != '/') { /* Let cookie-path be the default-path. */ @@ -239,12 +242,11 @@ static char *sanitize_cookie_path(const char *cookie_path) new_path = strdup("/"); return new_path; } /* convert /hoge/ to /hoge */ - len = strlen(new_path); - if(1 < len && new_path[len - 1] == '/') { + if(len && new_path[len - 1] == '/') { new_path[len - 1] = 0x0; } return new_path; } -- 2.1.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor