diff options
author | Daniel Stenberg <daniel@haxx.se> | 2018-03-23 23:30:04 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2018-05-14 07:40:31 +0200 |
commit | 583b42cb3b809b1bf597af160468ccba728c2248 (patch) | |
tree | 840ffd3a12601aa8af48500e79a41a10bd8db959 | |
parent | 8c7b3737d29ed5c0575bf592063de8a51450812d (diff) | |
download | curl-583b42cb3b809b1bf597af160468ccba728c2248.tar.gz |
pingpong: fix response cache memcpy overflow
Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.
Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
-rw-r--r-- | lib/pingpong.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/pingpong.c b/lib/pingpong.c index 438856a99..ad370ee82 100644 --- a/lib/pingpong.c +++ b/lib/pingpong.c @@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, * it would have been populated with something of size int to begin * with, even though its datatype may be larger than an int. */ - DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); + if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { + failf(data, "cached response data too big to handle"); + return CURLE_RECV_ERROR; + } memcpy(ptr, pp->cache, pp->cache_size); gotbytes = (ssize_t)pp->cache_size; free(pp->cache); /* free the cache */ |