granicus.if.org Git - curl/commit

]> granicus.if.org Git - curl/commit

author	Daniel Stenberg <daniel@haxx.se>
	Fri, 17 Oct 2014 10:59:32 +0000 (12:59 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Wed, 5 Nov 2014 07:05:14 +0000 (08:05 +0100)
commit	b3875606925536f82fc61f3114ac42f29eaf6945
tree	229666d262222b2f34967e00fb5300ec69cda258	tree \| snapshot
parent	d997c8b2f6521d78c6ef63411cfeb226f7927281	commit \| diff

curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds

When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.

Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.

Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis

lib/formdata.c		diff \| blob \| history
lib/strdup.c		diff \| blob \| history
lib/strdup.h		diff \| blob \| history
lib/url.c		diff \| blob \| history
lib/urldata.h		diff \| blob \| history
src/Makefile.inc		diff \| blob \| history
src/tool_setup.h		diff \| blob \| history
src/tool_strdup.c	[new file with mode: 0644]	blob
src/tool_strdup.h	[new file with mode: 0644]	blob

Unnamed repository; edit this file 'description' to name the repository.

RSS Atom