1
Description: fix sensitive data disclosure via duphandle read out of bounds
2
Origin: backport, https://github.com/bagder/curl/commit/b3875606925536f82fc61f3114ac42f29eaf6945
3
Origin: backport, https://github.com/bagder/curl/commit/e8cea8d70fed7ad5e14d8b3e871ebf0ea0bf53b0
4
Origin: backport, https://github.com/bagder/curl/commit/92e7e346f35b89d89c079403e5aeb16bee0e8836
5
Origin: backport, https://github.com/bagder/curl/commit/8a2dda312cc916e3ec3d0bc99850d9abe5ae6b92
7
Index: curl-7.35.0/lib/formdata.c
8
===================================================================
9
--- curl-7.35.0.orig/lib/formdata.c 2014-11-06 10:53:04.237756718 -0500
10
+++ curl-7.35.0/lib/formdata.c 2014-11-06 10:53:04.229756651 -0500
13
#include "curl_memory.h"
17
#define _MPRINTF_REPLACE /* use our functions only */
18
#include <curl/mprintf.h>
21
/***************************************************************************
25
- * Copies the 'source' data to a newly allocated buffer buffer (that is
26
- * returned). Uses buffer_length if not null, else uses strlen to determine
27
- * the length of the buffer to be copied
29
- * Returns the new pointer or NULL on failure.
31
- ***************************************************************************/
32
-static char *memdup(const char *src, size_t buffer_length)
39
- length = buffer_length;
41
- length = strlen(src);
45
- /* no length and a NULL src pointer! */
48
- buffer = malloc(length+add);
50
- return NULL; /* fail */
52
- memcpy(buffer, src, length);
54
- /* if length unknown do null termination */
56
- buffer[length] = '\0';
61
-/***************************************************************************
65
* Stores a formpost parameter and builds the appropriate linked list.
67
(form == first_form) ) {
68
/* Note that there's small risk that form->name is NULL here if the
69
app passed in a bad combo, so we better check for that first. */
72
/* copy name (without strdup; possibly contains null characters) */
73
- form->name = memdup(form->name, form->namelength);
74
+ form->name = Curl_memdup(form->name, form->namelength?
76
+ strlen(form->name)+1);
79
return_value = CURL_FORMADD_MEMORY;
82
HTTPPOST_PTRCONTENTS | HTTPPOST_PTRBUFFER |
83
HTTPPOST_CALLBACK)) ) {
84
/* copy value (without strdup; possibly contains null characters) */
85
- form->value = memdup(form->value, form->contentslength);
86
+ form->value = Curl_memdup(form->value, form->contentslength?
87
+ form->contentslength:
88
+ strlen(form->value)+1);
90
return_value = CURL_FORMADD_MEMORY;
92
Index: curl-7.35.0/lib/strdup.c
93
===================================================================
94
--- curl-7.35.0.orig/lib/strdup.c 2014-11-06 10:53:04.237756718 -0500
95
+++ curl-7.35.0/lib/strdup.c 2014-11-06 10:53:04.229756651 -0500
97
* KIND, either express or implied.
99
***************************************************************************/
101
- * This file is 'mem-include-scan' clean. See test 1132.
103
#include "curl_setup.h"
106
+#include "curl_memory.h"
108
+/* The last #include file should be: */
109
+#include "memdebug.h"
112
char *curlx_strdup(const char *str)
118
+/***************************************************************************
120
+ * Curl_memdup(source, length)
122
+ * Copies the 'source' data to a newly allocated buffer (that is
123
+ * returned). Copies 'length' bytes.
125
+ * Returns the new pointer or NULL on failure.
127
+ ***************************************************************************/
128
+char *Curl_memdup(const char *src, size_t length)
130
+ char *buffer = malloc(length);
132
+ return NULL; /* fail */
134
+ memcpy(buffer, src, length);
138
Index: curl-7.35.0/lib/strdup.h
139
===================================================================
140
--- curl-7.35.0.orig/lib/strdup.h 2014-11-06 10:53:04.237756718 -0500
141
+++ curl-7.35.0/lib/strdup.h 2014-11-06 10:53:04.229756651 -0500
144
extern char *curlx_strdup(const char *str);
146
+char *Curl_memdup(const char *src, size_t buffer_length);
148
#endif /* HEADER_CURL_STRDUP_H */
149
Index: curl-7.35.0/lib/url.c
150
===================================================================
151
--- curl-7.35.0.orig/lib/url.c 2014-11-06 10:53:04.237756718 -0500
152
+++ curl-7.35.0/lib/url.c 2014-11-06 10:53:04.233756684 -0500
154
#include "multihandle.h"
155
#include "pipeline.h"
159
#define _MPRINTF_REPLACE /* use our functions only */
160
#include <curl/mprintf.h>
163
/* Free all dynamic strings stored in the data->set substructure. */
165
- for(i=(enum dupstring)0; i < STRING_LAST; i++)
166
+ for(i=(enum dupstring)0; i < STRING_LAST; i++) {
167
Curl_safefree(data->set.str[i]);
170
if(data->change.referer_alloc) {
171
Curl_safefree(data->change.referer);
172
@@ -351,14 +353,25 @@
173
memset(dst->set.str, 0, STRING_LAST * sizeof(char *));
175
/* duplicate all strings */
176
- for(i=(enum dupstring)0; i< STRING_LAST; i++) {
177
+ for(i=(enum dupstring)0; i< STRING_LASTZEROTERMINATED; i++) {
178
r = setstropt(&dst->set.str[i], src->set.str[i]);
184
- /* If a failure occurred, freeing has to be performed externally. */
186
+ /* duplicate memory areas pointed to */
187
+ i = STRING_COPYPOSTFIELDS;
188
+ if(src->set.postfieldsize && src->set.str[i]) {
189
+ /* postfieldsize is curl_off_t, Curl_memdup() takes a size_t ... */
190
+ dst->set.str[i] = Curl_memdup(src->set.str[i],
191
+ curlx_sotouz(src->set.postfieldsize));
192
+ if(!dst->set.str[i])
193
+ return CURLE_OUT_OF_MEMORY;
194
+ /* point to the new copy */
195
+ dst->set.postfields = dst->set.str[i];
202
Index: curl-7.35.0/lib/urldata.h
203
===================================================================
204
--- curl-7.35.0.orig/lib/urldata.h 2014-11-06 10:53:04.237756718 -0500
205
+++ curl-7.35.0/lib/urldata.h 2014-11-06 10:53:04.233756684 -0500
206
@@ -1334,7 +1334,6 @@
207
STRING_KRB_LEVEL, /* krb security level */
208
STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find
210
- STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
211
STRING_PROXY, /* proxy to use */
212
STRING_SET_RANGE, /* range, if used */
213
STRING_SET_REFERER, /* custom string for the HTTP referer field */
214
@@ -1376,7 +1375,15 @@
216
STRING_BEARER, /* <bearer>, if used */
218
- /* -- end of strings -- */
219
+ /* -- end of zero-terminated strings -- */
221
+ STRING_LASTZEROTERMINATED,
223
+ /* -- below this are pointers to binary data that cannot be strdup'ed.
224
+ Each such pointer must be added manually to Curl_dupset() --- */
226
+ STRING_COPYPOSTFIELDS, /* if POST, set the fields' values here */
228
STRING_LAST /* not used, just an end-of-list marker */
231
Index: curl-7.35.0/src/Makefile.inc
232
===================================================================
233
--- curl-7.35.0.orig/src/Makefile.inc 2014-11-06 10:53:04.237756718 -0500
234
+++ curl-7.35.0/src/Makefile.inc 2014-11-06 10:53:04.233756684 -0500
236
# the official API, but we re-use the code here to avoid duplication.
259
Index: curl-7.35.0/src/tool_setup.h
260
===================================================================
261
--- curl-7.35.0.orig/src/tool_setup.h 2014-11-06 10:53:04.237756718 -0500
262
+++ curl-7.35.0/src/tool_setup.h 2014-11-06 10:53:04.233756684 -0500
267
-# include "strdup.h"
268
-# define strdup(ptr) curlx_strdup(ptr)
269
+# include "tool_strdup.h"
272
#endif /* HEADER_CURL_TOOL_SETUP_H */
273
Index: curl-7.35.0/src/tool_strdup.c
274
===================================================================
275
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
276
+++ curl-7.35.0/src/tool_strdup.c 2014-11-06 10:53:04.233756684 -0500
278
+/***************************************************************************
280
+ * Project ___| | | | _ \| |
281
+ * / __| | | | |_) | |
282
+ * | (__| |_| | _ <| |___
283
+ * \___|\___/|_| \_\_____|
285
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
287
+ * This software is licensed as described in the file COPYING, which
288
+ * you should have received as part of this distribution. The terms
289
+ * are also available at http://curl.haxx.se/docs/copyright.html.
291
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
292
+ * copies of the Software, and permit persons to whom the Software is
293
+ * furnished to do so, under the terms of the COPYING file.
295
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
296
+ * KIND, either express or implied.
298
+ ***************************************************************************/
299
+#include "tool_strdup.h"
302
+char *strdup(const char *str)
308
+ return (char *)NULL;
312
+ if(len >= ((size_t)-1) / sizeof(char))
313
+ return (char *)NULL;
315
+ newstr = malloc((len+1)*sizeof(char));
317
+ return (char *)NULL;
319
+ memcpy(newstr,str,(len+1)*sizeof(char));
325
Index: curl-7.35.0/src/tool_strdup.h
326
===================================================================
327
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
328
+++ curl-7.35.0/src/tool_strdup.h 2014-11-06 10:53:04.233756684 -0500
330
+#ifndef HEADER_TOOL_STRDUP_H
331
+#define HEADER_TOOL_STRDUP_H
332
+/***************************************************************************
334
+ * Project ___| | | | _ \| |
335
+ * / __| | | | |_) | |
336
+ * | (__| |_| | _ <| |___
337
+ * \___|\___/|_| \_\_____|
339
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
341
+ * This software is licensed as described in the file COPYING, which
342
+ * you should have received as part of this distribution. The terms
343
+ * are also available at http://curl.haxx.se/docs/copyright.html.
345
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
346
+ * copies of the Software, and permit persons to whom the Software is
347
+ * furnished to do so, under the terms of the COPYING file.
349
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
350
+ * KIND, either express or implied.
352
+ ***************************************************************************/
353
+#include "tool_setup.h"
356
+extern char *strdup(const char *str);
359
+#endif /* HEADER_TOOL_STRDUP_H */