mirror of
https://github.com/moparisthebest/curl
synced 2024-11-05 00:55:04 -05:00
smtp: use the upload buffer size for scratch buffer malloc
... not the read buffer size, as that can be set smaller and thus cause a buffer overflow! CVE-2018-0500 Reported-by: Peter Wu Bug: https://curl.haxx.se/docs/adv_2018-70a2.html
This commit is contained in:
parent
0b4ccc97f2
commit
ba1dbd78e5
@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread)
|
||||
if(!scratch || data->set.crlf) {
|
||||
oldscratch = scratch;
|
||||
|
||||
scratch = newscratch = malloc(2 * data->set.buffer_size);
|
||||
scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE);
|
||||
if(!newscratch) {
|
||||
failf(data, "Failed to alloc scratch buffer!");
|
||||
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
}
|
||||
}
|
||||
DEBUGASSERT(UPLOAD_BUFSIZE >= nread);
|
||||
|
||||
/* Have we already sent part of the EOB? */
|
||||
eob_sent = smtp->eob;
|
||||
|
Loading…
Reference in New Issue
Block a user