diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2015-04-16 16:37:40 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2015-04-21 23:20:36 +0200 |
| commit | b5f947b8ac0e282c61c75b69cd5b9d37dafc6959 (patch) | |
| tree | 0bc44613fc2757e8112d72f491e3981879ac2bb5 /lib/cookie.c | |
| parent | 31be461c6b659312100c47be6ddd5f0f569290f6 (diff) | |
| download | curl-b5f947b8ac0e282c61c75b69cd5b9d37dafc6959.tar.gz | |
cookie: cookie parser out of boundary memory access
The internal libcurl function called sanitize_cookie_path() that cleans
up the path element as given to it from a remote site or when read from
a file, did not properly validate the input. If given a path that
consisted of a single double-quote, libcurl would index a newly
allocated memory area with index -1 and assign a zero to it, thus
destroying heap memory it wasn't supposed to.
CVE-2015-3145
Bug: http://curl.haxx.se/docs/adv_20150422C.html
Reported-by: Hanno Böck
Diffstat (limited to 'lib/cookie.c')
| -rw-r--r-- | lib/cookie.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/lib/cookie.c b/lib/cookie.c index 0864f6bcf..012792605 100644 --- a/lib/cookie.c +++ b/lib/cookie.c @@ -225,11 +225,14 @@ static char *sanitize_cookie_path(const char *cookie_path) return NULL; /* some stupid site sends path attribute with '"'. */ + len = strlen(new_path); if(new_path[0] == '\"') { - memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); + memmove((void *)new_path, (const void *)(new_path + 1), len); + len--; } - if(new_path[strlen(new_path) - 1] == '\"') { - new_path[strlen(new_path) - 1] = 0x0; + if(len && (new_path[len - 1] == '\"')) { + new_path[len - 1] = 0x0; + len--; } /* RFC6265 5.2.4 The Path Attribute */ @@ -241,8 +244,7 @@ static char *sanitize_cookie_path(const char *cookie_path) } /* convert /hoge/ to /hoge */ - len = strlen(new_path); - if(1 < len && new_path[len - 1] == '/') { + if(len && new_path[len - 1] == '/') { new_path[len - 1] = 0x0; } |