pingpong: fix response cache memcpy overflow Response data for a handle with a large buffer might be cached and then used with the "closure" handle when it has a smaller buffer and then he larger cache will be copied and overflow the new smaller heap based buffer.
Reported-by: Dario Weisser CVE: CVE-2018-1000300 Bug: https://curl.haxx.se/docs/adv_2018-82c2.html Affects curl >= 7.54.1 && curl <= 7.59.0 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> --- .../curl/curl/CVE-2018-1000300.patch | 44 ++++++++++++++++++++++ meta/recipes-support/curl/curl_7.58.0.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta/recipes-support/curl/curl/CVE-2018-1000300.patch diff --git a/meta/recipes-support/curl/curl/CVE-2018-1000300.patch b/meta/recipes-support/curl/curl/CVE-2018-1000300.patch new file mode 100644 index 0000000..893d45c --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2018-1000300.patch @@ -0,0 +1,44 @@ +From 0a79d714bd55779a3a223efb5c089d0ad7e128a8 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <dan...@haxx.se> +Date: Fri, 23 Mar 2018 23:30:04 +0100 +Subject: [PATCH] pingpong: fix response cache memcpy overflow + +Response data for a handle with a large buffer might be cached and then +used with the "closure" handle when it has a smaller buffer and then the +larger cache will be copied and overflow the new smaller heap based +buffer. + +Reported-by: Dario Weisser + +CVE: CVE-2018-1000300 +Bug: https://curl.haxx.se/docs/adv_2018-82c2.html +Upstream-Status: Backport [https://github.com/curl/curl-www/commit/3ee30b2b5e3836345ac510bc1674aa3a4272936e] + +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> +--- + lib/pingpong.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/lib/pingpong.c b/lib/pingpong.c +index 438856a99..ad370ee82 100644 +--- a/lib/pingpong.c ++++ b/lib/pingpong.c +@@ -302,11 +302,14 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, + * + * pp->cache_size is cast to ssize_t here. This should be safe, because + * it would have been populated with something of size int to begin + * with, even though its datatype may be larger than an int. + */ +- DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); ++ if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { ++ failf(data, "cached response data too big to handle"); ++ return CURLE_RECV_ERROR; ++ } + memcpy(ptr, pp->cache, pp->cache_size); + gotbytes = (ssize_t)pp->cache_size; + free(pp->cache); /* free the cache */ + pp->cache = NULL; /* clear the pointer */ + pp->cache_size = 0; /* zero the size just in case */ +-- +2.17.0 + diff --git a/meta/recipes-support/curl/curl_7.58.0.bb b/meta/recipes-support/curl/curl_7.58.0.bb index d2d0180..fdfbb3d 100644 --- a/meta/recipes-support/curl/curl_7.58.0.bb +++ b/meta/recipes-support/curl/curl_7.58.0.bb @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = "file://COPYING;beginline=8;md5=3a34942f4ae3fbf1a303160714e66 SRC_URI = "http://curl.haxx.se/download/curl-${PV}.tar.bz2 \ file://0001-replace-krb5-config-with-pkg-config.patch \ + file://CVE-2018-1000300.patch \ " -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core