| From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de> |
| Date: Fri, 20 Oct 2017 15:15:47 +0200 |
| Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling |
| (CVE-2017-13090) |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| * src/retr.c (fd_read_body): Stop processing on negative chunk size |
| |
| Reported-by: Antti Levomรคki, Christian Jalio, Joonas Pihlaja from Forcepoint |
| Reported-by: Juhani Eronen from Finnish National Cyber Security Centre |
| --- |
| src/retr.c | 6 ++++++ |
| 1 file changed, 6 insertions(+) |
| |
| diff --git a/src/retr.c b/src/retr.c |
| index a27d58af..723ac725 100644 |
| --- a/src/retr.c |
| +++ b/src/retr.c |
| @@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread, |
| remaining_chunk_size = strtol (line, &endl, 16); |
| xfree (line); |
| |
| + if (remaining_chunk_size < 0) |
| + { |
| + ret = -1; |
| + break; |
| + } |
| + |
| if (remaining_chunk_size == 0) |
| { |
| ret = 0; |
| -- |
| 2.15.0.rc1 |
| |
