[GNUnet-SVN] [gnurl] 250/254: url: fix buffer overwrite with file protoc

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 250/254: url: fix buffer overwrite with file protoc

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 250/254: url: fix buffer overwrite with file protocol (CVE-2017-9502)
Date:	Sat, 17 Jun 2017 16:54:42 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to annotated tag gnurl-7.54.1
in repository gnurl.

commit 5d7952f52e410e1d4a8ff1965e5cc6fc1bde86aa
Author: Daniel Stenberg <address@hidden>
AuthorDate: Wed Jun 7 00:21:04 2017 +0200

    url: fix buffer overwrite with file protocol (CVE-2017-9502)
    
    Bug: https://github.com/curl/curl/issues/1540
    Advisory: https://curl.haxx.se/docs/adv_20170614.html
    
    Assisted-by: Ray Satiro
    Reported-by: Marcel Raad
---
 lib/url.c | 27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/lib/url.c b/lib/url.c
index 84822d9bc..87446dbca 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy 
*data,
 #endif
 
     protop = "file"; /* protocol string */
+    *prot_missing = !url_has_scheme;
   }
   else {
     /* clear path */
@@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy 
*data,
 
     size_t plen = strlen(path); /* new path, should be 1 byte longer than
                                    the original */
-    size_t urllen = strlen(data->change.url); /* original URL length */
-
     size_t prefixlen = strlen(conn->host.name);
 
-    if(!*prot_missing)
-      prefixlen += strlen(protop) + strlen("://");
+    if(!*prot_missing) {
+      size_t protolen = strlen(protop);
+
+      if(curl_strnequal(protop, data->change.url, protolen))
+        prefixlen += protolen;
+      else {
+        failf(data, "<url> malformed");
+        return CURLE_URL_MALFORMAT;
+      }
+
+      if(curl_strnequal("://", &data->change.url[protolen], 3))
+        prefixlen += 3;
+      /* only file: is allowed to omit one or both slashes */
+      else if(curl_strnequal("file:", data->change.url, 5))
+        prefixlen += 1 + (data->change.url[5] == '/');
+      else {
+        failf(data, "<url> malformed");
+        return CURLE_URL_MALFORMAT;
+      }
+    }
 
-    reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */
+    reurl = malloc(prefixlen + plen + 1);
     if(!reurl)
       return CURLE_OUT_OF_MEMORY;
 

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 207/254: test1538: verify the libcurl strerror API calls, (continued)
- [GNUnet-SVN] [gnurl] 207/254: test1538: verify the libcurl strerror API calls, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 184/254: opts: more examples added to man pages, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 229/254: test1121: use stricter types to work with typcheck-gcc, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 177/254: tests: removed some redundant empty <stdout> sections, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 182/254: CURLOPT_PROXY.3: describe the environment variables more, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 241/254: setopt: check CURLOPT_ADDRESS_SCOPE option range, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 176/254: runtests.pl: removed <precommand> feature, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 199/254: curl-compilers.m4: escape square brackets in regex, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 217/254: libtest: fix implicit-fallthrough warnings with GCC 7, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 188/254: example/externalsocket.c: make it use CLOSESOCKETFUNCTION too, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 250/254: url: fix buffer overwrite with file protocol (CVE-2017-9502), gnunet <=
- [GNUnet-SVN] [gnurl] 240/254: cmake: Fix inconsistency regarding mbed TLS include directory, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 224/254: curl_ntlm_core: use Curl_raw_toupper instead of toupper, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 233/254: travis: let some builds *not* use --enable-debug, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 227/254: test1521: test *all* curl_easy_setopt options, gnunet, 2017/06/17
- [GNUnet-SVN] [gnurl] 254/254: Patchset for gnURL microfork: * Patches to rename libcurl to libgnurl by Christian * Updated for latest curl using git cherry-pick by Jeff, Florian, ng0 * Patches to fix the testsuite (deleted tests/data/test1139, renamed reference from libcurl.* to libgnurl.*) by ng0 * Added guix-gnurl.scm which can be used to build this with guix prior to installing it. (author: ng0) * Further adjustments by ng0, gnunet, 2017/06/17

Prev by Date: [GNUnet-SVN] [gnurl] 188/254: example/externalsocket.c: make it use CLOSESOCKETFUNCTION too
Next by Date: [GNUnet-SVN] [gnurl] 240/254: cmake: Fix inconsistency regarding mbed TLS include directory
Previous by thread: [GNUnet-SVN] [gnurl] 188/254: example/externalsocket.c: make it use CLOSESOCKETFUNCTION too
Next by thread: [GNUnet-SVN] [gnurl] 240/254: cmake: Fix inconsistency regarding mbed TLS include directory
Index(es):
- Date
- Thread