40 lines
1.1 KiB
Diff
40 lines
1.1 KiB
Diff
From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Sat, 24 Mar 2018 23:47:41 +0100
|
|
Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
|
|
|
|
... leaving the k->str could lead to buffer over-reads later on.
|
|
|
|
CVE: CVE-2018-1000301
|
|
Assisted-by: Max Dymond
|
|
|
|
Detected by OSS-Fuzz.
|
|
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
|
|
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
|
|
---
|
|
lib/http.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
--- a/lib/http.c
|
|
+++ b/lib/http.c
|
|
@@ -2924,6 +2924,8 @@ CURLcode Curl_http_readwrite_headers(str
|
|
{
|
|
CURLcode result;
|
|
struct SingleRequest *k = &data->req;
|
|
+ ssize_t onread = *nread;
|
|
+ char *ostr = k->str;
|
|
|
|
/* header line within buffer loop */
|
|
do {
|
|
@@ -2988,7 +2990,9 @@ CURLcode Curl_http_readwrite_headers(str
|
|
else {
|
|
/* this was all we read so it's all a bad header */
|
|
k->badheader = HEADER_ALLBAD;
|
|
- *nread = (ssize_t)rest_length;
|
|
+ *nread = onread;
|
|
+ k->str = ostr;
|
|
+ return CURLE_OK;
|
|
}
|
|
break;
|
|
}
|