blob: 4e600fe784ff986d8f458dd0e0346f33b9faad0a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
Date: Fri, 20 Oct 2017 15:15:47 +0200
Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling
(CVE-2017-13090)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* src/retr.c (fd_read_body): Stop processing on negative chunk size
Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
---
src/retr.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/retr.c b/src/retr.c
index a27d58af..723ac725 100644
--- a/src/retr.c
+++ b/src/retr.c
@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
remaining_chunk_size = strtol (line, &endl, 16);
xfree (line);
+ if (remaining_chunk_size < 0)
+ {
+ ret = -1;
+ break;
+ }
+
if (remaining_chunk_size == 0)
{
ret = 0;
--
2.15.0.rc1
|
