| From 3dbc2e06ad487862c2fcc64d4891ff8aeb254bad Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> |
| Date: Fri, 20 Oct 2017 10:59:38 +0200 |
| Subject: [PATCH 1/2] Fix stack overflow in HTTP protocol handling |
| (CVE-2017-13089) |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| * src/http.c (skip_short_body): Return error on negative chunk size |
| |
| Reported-by: Antti Levomรคki, Christian Jalio, Joonas Pihlaja from Forcepoint |
| Reported-by: Juhani Eronen from Finnish National Cyber Security Centre |
| --- |
| src/http.c | 3 +++ |
| 1 file changed, 3 insertions(+) |
| |
| diff --git a/src/http.c b/src/http.c |
| index 55367688..dc318231 100644 |
| --- a/src/http.c |
| +++ b/src/http.c |
| @@ -973,6 +973,9 @@ skip_short_body (int fd, wgint contlen, bool chunked) |
| remaining_chunk_size = strtol (line, &endl, 16); |
| xfree (line); |
| |
| + if (remaining_chunk_size < 0) |
| + return false; |
| + |
| if (remaining_chunk_size == 0) |
| { |
| line = fd_read_line (fd); |
| -- |
| 2.15.0.rc1 |
| |