moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00
Code Issues Releases Wiki Activity

cookie: cookie parser out of boundary memory access

Browse Source 
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.

CVE-2015-3145

Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
This commit is contained in:
Daniel Stenberg 2015-04-16 16:37:40 +02:00
parent 31be461c6b
commit b5f947b8ac
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/cookie.c
View File

@ -225,11 +225,14 @@ static char *sanitize_cookie_path(const char *cookie_path)
return NULL;
/* some stupid site sends path attribute with '"'. */
len = strlen(new_path);
if(new_path[0] == '\"') {
memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path));
memmove((void *)new_path, (const void *)(new_path + 1), len);
len--;
}
if(new_path[strlen(new_path) - 1] == '\"') {
new_path[strlen(new_path) - 1] = 0x0;
if(len && (new_path[len - 1] == '\"')) {
new_path[len - 1] = 0x0;
len--;
}
/* RFC6265 5.2.4 The Path Attribute */
@ -241,8 +244,7 @@ static char *sanitize_cookie_path(const char *cookie_path)
}
/* convert /hoge/ to /hoge */
len = strlen(new_path);
if(1 < len && new_path[len - 1] == '/') {
if(len && new_path[len - 1] == '/') {
new_path[len - 1] = 0x0;
}