Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
curl
curl-CVE-2016-8623.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File curl-CVE-2016-8623.patch of Package curl
From b05d7b8d8f8dd0cf717e53324af46f62b27db5ea Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <daniel@haxx.se> Date: Tue, 4 Oct 2016 23:26:13 +0200 Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies Previously it only held references to them, which was reckless as the thread lock was released so the cookies could get modified by other handles that share the same cookie jar over the share interface. --- lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++--------------------- lib/cookie.h | 4 ++-- lib/http.c | 2 +- 3 files changed, 43 insertions(+), 24 deletions(-) Index: curl-7.37.0/lib/cookie.c =================================================================== --- curl-7.37.0.orig/lib/cookie.c 2016-10-20 15:12:17.759776851 +0200 +++ curl-7.37.0/lib/cookie.c 2016-10-20 15:17:06.188348997 +0200 @@ -981,6 +981,40 @@ static int cookie_sort(const void *p1, c return 0; } +#define CLONE(field) \ + do { \ + if(src->field) { \ + dup->field = strdup(src->field); \ + if(!dup->field) \ + goto fail; \ + } \ + } while(0) + +static struct Cookie *dup_cookie(struct Cookie *src) +{ + struct Cookie *dup = calloc(sizeof(struct Cookie), 1); + if(dup) { + CLONE(expirestr); + CLONE(domain); + CLONE(path); + CLONE(spath); + CLONE(name); + CLONE(value); + CLONE(maxage); + CLONE(version); + dup->expires = src->expires; + dup->tailmatch = src->tailmatch; + dup->secure = src->secure; + dup->livecookie = src->livecookie; + dup->httponly = src->httponly; + } + return dup; + + fail: + freecookie(dup); + return NULL; +} + /***************************************************************************** * * Curl_cookie_getlist() @@ -1036,11 +1070,8 @@ struct Cookie *Curl_cookie_getlist(struc /* and now, we know this is a match and we should create an entry for the return-linked-list */ - newco = malloc(sizeof(struct Cookie)); + newco = dup_cookie(co); if(newco) { - /* first, copy the whole source cookie: */ - memcpy(newco, co, sizeof(struct Cookie)); - /* then modify our next */ newco->next = mainco; @@ -1052,12 +1083,7 @@ struct Cookie *Curl_cookie_getlist(struc else { fail: /* failure, clear up the allocated chain and return NULL */ - while(mainco) { - co = mainco->next; - free(mainco); - mainco = co; - } - + Curl_cookie_freelist(mainco); return NULL; } } @@ -1109,7 +1135,7 @@ struct Cookie *Curl_cookie_getlist(struc void Curl_cookie_clearall(struct CookieInfo *cookies) { if(cookies) { - Curl_cookie_freelist(cookies->cookies, TRUE); + Curl_cookie_freelist(cookies->cookies); cookies->cookies = NULL; cookies->numcookies = 0; } @@ -1121,22 +1147,15 @@ void Curl_cookie_clearall(struct CookieI * * Free a list of cookies previously returned by Curl_cookie_getlist(); * - * The 'cookiestoo' argument tells this function whether to just free the - * list or actually also free all cookies within the list as well. - * ****************************************************************************/ -void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo) +void Curl_cookie_freelist(struct Cookie *co) { struct Cookie *next; if(co) { while(co) { next = co->next; - if(cookiestoo) - freecookie(co); - else - free(co); /* we only free the struct since the "members" are all just - pointed out in the main cookie list! */ + freecookie(co); co = next; } } Index: curl-7.37.0/lib/cookie.h =================================================================== --- curl-7.37.0.orig/lib/cookie.h 2016-10-20 15:12:17.759776851 +0200 +++ curl-7.37.0/lib/cookie.h 2016-10-20 15:12:18.467788106 +0200 @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *, const char *, bool); -void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo); +void Curl_cookie_freelist(struct Cookie *cookies); void Curl_cookie_clearall(struct CookieInfo *cookies); void Curl_cookie_clearsess(struct CookieInfo *cookies); Index: curl-7.37.0/lib/http.c =================================================================== --- curl-7.37.0.orig/lib/http.c 2016-10-20 15:12:18.467788106 +0200 +++ curl-7.37.0/lib/http.c 2016-10-20 15:17:28.188697021 +0200 @@ -2329,7 +2329,7 @@ CURLcode Curl_http(struct connectdata *c } co = co->next; /* next cookie please */ } - Curl_cookie_freelist(store, FALSE); /* free the cookie list */ + Curl_cookie_freelist(store); } if(addcookies && (CURLE_OK == result)) { if(!count)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor