package/network/utils/curl/patches/114-CVE-2018-1000301.patch

   1 From 8c7b3737d29ed5c0575bf592063de8a51450812d Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Sat, 24 Mar 2018 23:47:41 +0100
   4 Subject: [PATCH] http: restore buffer pointer when bad response-line is parsed
   5
   6 ... leaving the k->str could lead to buffer over-reads later on.
   7
   8 CVE: CVE-2018-1000301
   9 Assisted-by: Max Dymond
  10
  11 Detected by OSS-Fuzz.
  12 Bug: https://curl.haxx.se/docs/adv_2018-b138.html
  13 Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
  14 ---
  15  lib/http.c | 6 +++++-
  16  1 file changed, 5 insertions(+), 1 deletion(-)
  17
  18 --- a/lib/http.c
  19 +++ b/lib/http.c
  20 @@ -2924,6 +2924,8 @@ CURLcode Curl_http_readwrite_headers(str
  21  {
  22    CURLcode result;
  23    struct SingleRequest *k = &data->req;
  24 +  ssize_t onread = *nread;
  25 +  char *ostr = k->str;
  26
  27    /* header line within buffer loop */
  28    do {
  29 @@ -2988,7 +2990,9 @@ CURLcode Curl_http_readwrite_headers(str
  30          else {
  31            /* this was all we read so it's all a bad header */
  32            k->badheader = HEADER_ALLBAD;
  33 -          *nread = (ssize_t)rest_length;
  34 +          *nread = onread;
  35 +          k->str = ostr;
  36 +          return CURLE_OK;
  37          }
  38          break;
  39        }