OpenWrt – Blame information for rev 4
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 4 | office | 1 | From ba1dbd78e5f1ed67c1b8d37ac89d90e5e330b628 Mon Sep 17 00:00:00 2001 |
| 2 | From: Daniel Stenberg <daniel@haxx.se> |
||
| 3 | Date: Wed, 13 Jun 2018 12:24:40 +0200 |
||
| 4 | Subject: [PATCH] smtp: use the upload buffer size for scratch buffer malloc |
||
| 5 | |||
| 6 | ... not the read buffer size, as that can be set smaller and thus cause |
||
| 7 | a buffer overflow! CVE-2018-0500 |
||
| 8 | |||
| 9 | Reported-by: Peter Wu |
||
| 10 | Bug: https://curl.haxx.se/docs/adv_2018-70a2.html |
||
| 11 | --- |
||
| 12 | lib/smtp.c | 3 ++- |
||
| 13 | 1 file changed, 2 insertions(+), 1 deletion(-) |
||
| 14 | |||
| 15 | --- a/lib/smtp.c |
||
| 16 | +++ b/lib/smtp.c |
||
| 17 | @@ -1563,13 +1563,14 @@ CURLcode Curl_smtp_escape_eob(struct con |
||
| 18 | if(!scratch || data->set.crlf) { |
||
| 19 | oldscratch = scratch; |
||
| 20 | |||
| 21 | - scratch = newscratch = malloc(2 * data->set.buffer_size); |
||
| 22 | + scratch = newscratch = malloc(2 * UPLOAD_BUFSIZE); |
||
| 23 | if(!newscratch) { |
||
| 24 | failf(data, "Failed to alloc scratch buffer!"); |
||
| 25 | |||
| 26 | return CURLE_OUT_OF_MEMORY; |
||
| 27 | } |
||
| 28 | } |
||
| 29 | + DEBUGASSERT(UPLOAD_BUFSIZE >= nread); |
||
| 30 | |||
| 31 | /* Have we already sent part of the EOB? */ |
||
| 32 | eob_sent = smtp->eob; |