From e7b968422693f641483432c870a8b8e6f0128fbb Mon Sep 17 00:00:00 2001 From: Seonah Moon Date: Mon, 2 Jul 2018 14:04:50 +0900 Subject: [PATCH] pingpong: fix response cache memcpy overflow Response data for a handle with a large buffer might be cached and then used with the "closure" handle when it has a smaller buffer and then the larger cache will be copied and overflow the new smaller heap based buffer. Reported-by: Dario Weisser CVE: CVE-2018-1000300 Bug: https://curl.haxx.se/docs/adv_2018-82c2.htm Change-Id: I02d35b9494356aaec1ca1f8eab0353a58c849e11 --- lib/pingpong.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/pingpong.c b/lib/pingpong.c index 438856a..ad370ee 100644 --- a/lib/pingpong.c +++ b/lib/pingpong.c @@ -304,7 +304,10 @@ CURLcode Curl_pp_readresp(curl_socket_t sockfd, * it would have been populated with something of size int to begin * with, even though its datatype may be larger than an int. */ - DEBUGASSERT((ptr + pp->cache_size) <= (buf + data->set.buffer_size + 1)); + if((ptr + pp->cache_size) > (buf + data->set.buffer_size + 1)) { + failf(data, "cached response data too big to handle"); + return CURLE_RECV_ERROR; + } memcpy(ptr, pp->cache, pp->cache_size); gotbytes = (ssize_t)pp->cache_size; free(pp->cache); /* free the cache */ -- 2.7.4