cookie: cookie parser out of boundary memory access
The internal libcurl function called sanitize_cookie_path() that cleans up the path element as given to it from a remote site or when read from a file, did not properly validate the input. If given a path that consisted of a single double-quote, libcurl would index a newly allocated memory area with index -1 and assign a zero to it, thus destroying heap memory it wasn't supposed to. CVE-2015-3145 Bug: http://curl.haxx.se/docs/adv_20150422C.html Reported-by: Hanno Böck
This commit is contained in:
		
							
								
								
									
										12
									
								
								lib/cookie.c
									
									
									
									
									
								
							
							
						
						
									
										12
									
								
								lib/cookie.c
									
									
									
									
									
								
							| @@ -225,11 +225,14 @@ static char *sanitize_cookie_path(const char *cookie_path) | |||||||
|     return NULL; |     return NULL; | ||||||
|  |  | ||||||
|   /* some stupid site sends path attribute with '"'. */ |   /* some stupid site sends path attribute with '"'. */ | ||||||
|  |   len = strlen(new_path); | ||||||
|   if(new_path[0] == '\"') { |   if(new_path[0] == '\"') { | ||||||
|     memmove((void *)new_path, (const void *)(new_path + 1), strlen(new_path)); |     memmove((void *)new_path, (const void *)(new_path + 1), len); | ||||||
|  |     len--; | ||||||
|   } |   } | ||||||
|   if(new_path[strlen(new_path) - 1] == '\"') { |   if(len && (new_path[len - 1] == '\"')) { | ||||||
|     new_path[strlen(new_path) - 1] = 0x0; |     new_path[len - 1] = 0x0; | ||||||
|  |     len--; | ||||||
|   } |   } | ||||||
|  |  | ||||||
|   /* RFC6265 5.2.4 The Path Attribute */ |   /* RFC6265 5.2.4 The Path Attribute */ | ||||||
| @@ -241,8 +244,7 @@ static char *sanitize_cookie_path(const char *cookie_path) | |||||||
|   } |   } | ||||||
|  |  | ||||||
|   /* convert /hoge/ to /hoge */ |   /* convert /hoge/ to /hoge */ | ||||||
|   len = strlen(new_path); |   if(len && new_path[len - 1] == '/') { | ||||||
|   if(1 < len && new_path[len - 1] == '/') { |  | ||||||
|     new_path[len - 1] = 0x0; |     new_path[len - 1] = 0x0; | ||||||
|   } |   } | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Daniel Stenberg
					Daniel Stenberg