Unverified Commit 583b42cb authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

pingpong: fix response cache memcpy overflow 

Response data for a handle with a large buffer might be cached and then
used with the "closure" handle when it has a smaller buffer and then the
larger cache will be copied and overflow the new smaller heap based
buffer.

Reported-by: Dario Weisser
CVE: CVE-2018-1000300
Bug: https://curl.haxx.se/docs/adv_2018-82c2.html
parent 8c7b3737

lib/pingpong.c

+4 −1
Original line number Diff line number Diff line
@@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, 
       * it would have been populated with something of size int to begin

       * with, even though its datatype may be larger than an int.

       */

      DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1));

      if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) {

        failf(data, "cached response data too big to handle");

        return CURLE_RECV_ERROR;

      }

      memcpy(ptr, pp->cache, pp->cache_size);

      gotbytes = (ssize_t)pp->cache_size;

      free(pp->cache);    /* free the cache */