cookie: cookie parser out of boundary memory access

The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck
2015-04-16 16:37:40 +02:00 · 2015-04-16 16:37:40 +02:00 · b5f947b8ac
parent 31be461c6b
commit b5f947b8ac
1 changed files with 7 additions and 5 deletions
--- a/lib/cookie.c
+++ b/lib/cookie.c
@ -225,11 +225,14 @@ static char *sanitize_cookie_path(const char *cookie_path)
    return NULL;

  /* some stupid site sends path attribute with '"'. */
+  len = strlen(new_path);
  if(new_path[0] == '\"') {
-    memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
+    memmove((void *)new_path, (const void *)(new_path + 1), len);
+    len--;
  }
-  if(new_path[strlen(new_path) - 1] == '\"') {
-    new_path[strlen(new_path) - 1] = 0x0;
+  if(len && (new_path[len - 1] == '\"')) {
+    new_path[len - 1] = 0x0;
+    len--;
  }

  /* RFC6265 5.2.4 The Path Attribute */
@ -241,8 +244,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
  }

  /* convert /hoge/ to /hoge */
-  len = strlen(new_path);
-  if(1 < len && new_path[len - 1] == '/') {
+  if(len && new_path[len - 1] == '/') {
    new_path[len - 1] = 0x0;
  }