package/network/utils/curl/patches/103-CVE-2017-1000100.patch

   1 From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Tue, 1 Aug 2017 17:16:46 +0200
   4 Subject: [PATCH] tftp: reject file name lengths that don't fit
   5
   6 ... and thereby avoid telling send() to send off more bytes than the
   7 size of the buffer!
   8
   9 CVE-2017-1000100
  10
  11 Bug: https://curl.haxx.se/docs/adv_20170809B.html
  12 Reported-by: Even Rouault
  13
  14 Credit to OSS-Fuzz for the discovery
  15 ---
  16  lib/tftp.c | 7 ++++++-
  17  1 file changed, 6 insertions(+), 1 deletion(-)
  18
  19 --- a/lib/tftp.c
  20 +++ b/lib/tftp.c
  21 @@ -5,7 +5,7 @@
  22   *                            | (__| |_| |  _ <| |___
  23   *                             \___|\___/|_| \_\_____|
  24   *
  25 - * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
  26 + * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
  27   *
  28   * This software is licensed as described in the file COPYING, which
  29   * you should have received as part of this distribution. The terms
  30 @@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_sta
  31      if(result)
  32        return result;
  33
  34 +    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
  35 +      failf(data, "TFTP file name too long\n");
  36 +      return CURLE_TFTP_ILLEGAL; /* too long file name field */
  37 +    }
  38 +
  39      snprintf((char *)state->spacket.data+2,
  40               state->blksize,
  41               "%s%c%s%c", filename, '\0',  mode, '\0');