curl/lib/strdup.c
Daniel Stenberg b387560692 curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.

Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.

Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis
2014-11-05 08:05:14 +01:00

75 lines
2.0 KiB
C

/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
* / __| | | | |_) | |
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
* are also available at http://curl.haxx.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
* furnished to do so, under the terms of the COPYING file.
*
* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
* KIND, either express or implied.
*
***************************************************************************/
#include "curl_setup.h"
#include "strdup.h"
#include "curl_memory.h"
/* The last #include file should be: */
#include "memdebug.h"
#ifndef HAVE_STRDUP
char *curlx_strdup(const char *str)
{
size_t len;
char *newstr;
if(!str)
return (char *)NULL;
len = strlen(str);
if(len >= ((size_t)-1) / sizeof(char))
return (char *)NULL;
newstr = malloc((len+1)*sizeof(char));
if(!newstr)
return (char *)NULL;
memcpy(newstr,str,(len+1)*sizeof(char));
return newstr;
}
#endif
/***************************************************************************
*
* Curl_memdup(source, length)
*
* Copies the 'source' data to a newly allocated buffer (that is
* returned). Copies 'length' bytes.
*
* Returns the new pointer or NULL on failure.
*
***************************************************************************/
char *Curl_memdup(const char *src, size_t length)
{
char *buffer = malloc(length);
if(!buffer)
return NULL; /* fail */
memcpy(buffer, src, length);
/* if length unknown do null termination */
return buffer;
}