mirror of
https://github.com/moparisthebest/curl
synced 2024-08-13 17:03:50 -04:00
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then used with the "closure" handle when it has a smaller buffer and then the larger cache will be copied and overflow the new smaller heap based buffer. Reported-by: Dario Weisser CVE: CVE-2018-1000300 Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
This commit is contained in:
parent
8c7b3737d2
commit
583b42cb3b
@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd,
|
|||||||
* it would have been populated with something of size int to begin
|
* it would have been populated with something of size int to begin
|
||||||
* with, even though its datatype may be larger than an int.
|
* with, even though its datatype may be larger than an int.
|
||||||
*/
|
*/
|
||||||
DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));
|
if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {
|
||||||
|
failf(data, "cached response data too big to handle");
|
||||||
|
return CURLE_RECV_ERROR;
|
||||||
|
}
|
||||||
memcpy(ptr, pp->cache, pp->cache_size);
|
memcpy(ptr, pp->cache, pp->cache_size);
|
||||||
gotbytes = (ssize_t)pp->cache_size;
|
gotbytes = (ssize_t)pp->cache_size;
|
||||||
free(pp->cache); /* free the cache */
|
free(pp->cache); /* free the cache */
|
||||||
|
Loading…
Reference in New Issue
Block a user