mirror of
https://github.com/moparisthebest/curl
synced 2024-12-21 23:58:49 -05:00
url: fix buffer overwrite with file protocol (CVE-2017-9502)
Bug: https://github.com/curl/curl/issues/1540 Advisory: https://curl.haxx.se/docs/adv_20170614.html Assisted-by: Ray Satiro Reported-by: Marcel Raad
This commit is contained in:
parent
5fa028e508
commit
5d7952f52e
27
lib/url.c
27
lib/url.c
@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
|
||||
#endif
|
||||
|
||||
protop = "file"; /* protocol string */
|
||||
*prot_missing = !url_has_scheme;
|
||||
}
|
||||
else {
|
||||
/* clear path */
|
||||
@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
|
||||
|
||||
size_t plen = strlen(path); /* new path, should be 1 byte longer than
|
||||
the original */
|
||||
size_t urllen = strlen(data->change.url); /* original URL length */
|
||||
|
||||
size_t prefixlen = strlen(conn->host.name);
|
||||
|
||||
if(!*prot_missing)
|
||||
prefixlen += strlen(protop) + strlen("://");
|
||||
if(!*prot_missing) {
|
||||
size_t protolen = strlen(protop);
|
||||
|
||||
reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */
|
||||
if(curl_strnequal(protop, data->change.url, protolen))
|
||||
prefixlen += protolen;
|
||||
else {
|
||||
failf(data, "<url> malformed");
|
||||
return CURLE_URL_MALFORMAT;
|
||||
}
|
||||
|
||||
if(curl_strnequal("://", &data->change.url[protolen], 3))
|
||||
prefixlen += 3;
|
||||
/* only file: is allowed to omit one or both slashes */
|
||||
else if(curl_strnequal("file:", data->change.url, 5))
|
||||
prefixlen += 1 + (data->change.url[5] == '/');
|
||||
else {
|
||||
failf(data, "<url> malformed");
|
||||
return CURLE_URL_MALFORMAT;
|
||||
}
|
||||
}
|
||||
|
||||
reurl = malloc(prefixlen + plen + 1);
|
||||
if(!reurl)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user