Unverified Commit 8c7b3737 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

http: restore buffer pointer when bad response-line is parsed 

... leaving the k->str could lead to buffer over-reads later on.

CVE: CVE-2018-1000301
Assisted-by: Max Dymond

Detected by OSS-Fuzz.
Bug: https://curl.haxx.se/docs/adv_2018-b138.html
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7105
parent 1b55d270

lib/http.c

+5 −1
Original line number Diff line number Diff line
@@ -3014,6 +3014,8 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
{

  CURLcode result;

  struct SingleRequest *k = &data->req;

  ssize_t onread = *nread;

  char *ostr = k->str;



  /* header line within buffer loop */

  do {
@@ -3078,7 +3080,9 @@ CURLcode Curl_http_readwrite_headers(struct Curl_easy *data, 
        else {

          /* this was all we read so it's all a bad header */

          k->badheader = HEADER_ALLBAD;

          *nread = (ssize_t)rest_length;

          *nread = onread;

          k->str = ostr;

          return CURLE_OK;

        }

        break;

      }