1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-22 08:08:50 -05:00

cookie: replace use of fgets() with custom version

... that will ignore lines that are too long to fit in the buffer.

CVE-2016-8615

Bug: https://curl.haxx.se/docs/adv_20161102A.html
Reported-by: Cure53
This commit is contained in:
Daniel Stenberg 2016-09-27 17:36:19 +02:00
parent 811a693b80
commit cff89bc088

View File

@ -902,6 +902,35 @@ Curl_cookie_add(struct Curl_easy *data,
return co;
}
/*
* get_line() makes sure to only return complete whole lines that fit in 'len'
* bytes and end with a newline.
*/
static char *get_line(char *buf, int len, FILE *input)
{
bool partial = FALSE;
while(1) {
char *b = fgets(buf, len, input);
if(b) {
size_t rlen = strlen(b);
if(rlen && (b[rlen-1] == '\n')) {
if(partial) {
partial = FALSE;
continue;
}
return b;
}
else
/* read a partial, discard the next piece that ends with newline */
partial = TRUE;
}
else
break;
}
return NULL;
}
/*****************************************************************************
*
* Curl_cookie_init()
@ -958,7 +987,7 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
line = malloc(MAX_COOKIE_LINE);
if(!line)
goto fail;
while(fgets(line, MAX_COOKIE_LINE, fp)) {
while(get_line(line, MAX_COOKIE_LINE, fp)) {
if(checkprefix("Set-Cookie:", line)) {
/* This is a cookie line, get it! */
lineptr=&line[11];