1 |
From 1620f552a277ed5b23a48b9c27dbf07663cac068 Mon Sep 17 00:00:00 2001 |
2 |
From: Daniel Stenberg <daniel@haxx.se> |
3 |
Date: Tue, 27 Sep 2016 17:36:19 +0200 |
4 |
Subject: [PATCH] cookie: replace use of fgets() with custom version |
5 |
|
6 |
... that will ignore lines that are too long to fit in the buffer. |
7 |
|
8 |
CVE-2016-8615 |
9 |
|
10 |
Bug: https://curl.haxx.se/docs/adv_20161102A.html |
11 |
Reported-by: Cure53 |
12 |
--- |
13 |
lib/cookie.c | 31 ++++++++++++++++++++++++++++++- |
14 |
1 file changed, 30 insertions(+), 1 deletion(-) |
15 |
|
16 |
diff --git a/lib/cookie.c b/lib/cookie.c |
17 |
index 0f05da2..e5097d3 100644 |
18 |
--- a/lib/cookie.c |
19 |
+++ b/lib/cookie.c |
20 |
@@ -901,10 +901,39 @@ Curl_cookie_add(struct Curl_easy *data, |
21 |
} |
22 |
|
23 |
return co; |
24 |
} |
25 |
|
26 |
+/* |
27 |
+ * get_line() makes sure to only return complete whole lines that fit in 'len' |
28 |
+ * bytes and end with a newline. |
29 |
+ */ |
30 |
+static char *get_line(char *buf, int len, FILE *input) |
31 |
+{ |
32 |
+ bool partial = FALSE; |
33 |
+ while(1) { |
34 |
+ char *b = fgets(buf, len, input); |
35 |
+ if(b) { |
36 |
+ size_t rlen = strlen(b); |
37 |
+ if(rlen && (b[rlen-1] == '\n')) { |
38 |
+ if(partial) { |
39 |
+ partial = FALSE; |
40 |
+ continue; |
41 |
+ } |
42 |
+ return b; |
43 |
+ } |
44 |
+ else |
45 |
+ /* read a partial, discard the next piece that ends with newline */ |
46 |
+ partial = TRUE; |
47 |
+ } |
48 |
+ else |
49 |
+ break; |
50 |
+ } |
51 |
+ return NULL; |
52 |
+} |
53 |
+ |
54 |
+ |
55 |
/***************************************************************************** |
56 |
* |
57 |
* Curl_cookie_init() |
58 |
* |
59 |
* Inits a cookie struct to read data from a local file. This is always |
60 |
@@ -957,11 +986,11 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, |
61 |
bool headerline; |
62 |
|
63 |
line = malloc(MAX_COOKIE_LINE); |
64 |
if(!line) |
65 |
goto fail; |
66 |
- while(fgets(line, MAX_COOKIE_LINE, fp)) { |
67 |
+ while(get_line(line, MAX_COOKIE_LINE, fp)) { |
68 |
if(checkprefix("Set-Cookie:", line)) { |
69 |
/* This is a cookie line, get it! */ |
70 |
lineptr=&line[11]; |
71 |
headerline=TRUE; |
72 |
} |
73 |
-- |
74 |
2.9.3 |
75 |
|