package/network/utils/curl/patches/109-CVE-2018-1000005.patch

   1 From fa3dbb9a147488a2943bda809c66fc497efe06cb Mon Sep 17 00:00:00 2001
   2 From: Zhouyihai Ding <ddyihai@ddyihai.svl.corp.google.com>
   3 Date: Wed, 10 Jan 2018 10:12:18 -0800
   4 Subject: [PATCH] http2: fix incorrect trailer buffer size
   5
   6 Prior to this change the stored byte count of each trailer was
   7 miscalculated and 1 less than required. It appears any trailer
   8 after the first that was passed to Curl_client_write would be truncated
   9 or corrupted as well as the size. Potentially the size of some
  10 subsequent trailer could be erroneously extracted from the contents of
  11 that trailer, and since that size is used by client write an
  12 out-of-bounds read could occur and cause a crash or be otherwise
  13 processed by client write.
  14
  15 The bug appears to have been born in 0761a51 (precedes 7.49.0).
  16
  17 Closes https://github.com/curl/curl/pull/2231
  18 ---
  19  lib/http2.c | 4 ++--
  20  1 file changed, 2 insertions(+), 2 deletions(-)
  21
  22 --- a/lib/http2.c
  23 +++ b/lib/http2.c
  24 @@ -864,8 +864,8 @@ static int on_header(nghttp2_session *se
  25
  26    if(stream->bodystarted) {
  27      /* This is trailer fields. */
  28 -    /* 3 is for ":" and "\r\n". */
  29 -    uint32_t n = (uint32_t)(namelen + valuelen + 3);
  30 +    /* 4 is for ": " and "\r\n". */
  31 +    uint32_t n = (uint32_t)(namelen + valuelen + 4);
  32
  33      DEBUGF(infof(data_s, "h2 trailer: %.*s: %.*s\n", namelen, name, valuelen,
  34                   value));