From 0583e87ada7a3cfb10904ae4ab61b339582c5bd3 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 16 Apr 2015 23:52:04 +0200 Subject: [PATCH] fix_hostname: zero length host name caused -1 index offset MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit If a URL is given with a zero-length host name, like in "http://:80" or just ":80", `fix_hostname()` will index the host name pointer with a -1 offset (as it blindly assumes a non-zero length) and both read and assign that address. CVE-2015-3144 Bug: http://curl.haxx.se/docs/adv_20150422D.html Reported-by: Hanno Böck --- lib/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/url.c b/lib/url.c index ee3d176d9..f033dbc95 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3627,7 +3627,7 @@ static void fix_hostname(struct SessionHandle *data, host->dispname = host->name; len = strlen(host->name); - if(host->name[len-1] == '.') + if(len && (host->name[len-1] == '.')) /* strip off a single trailing dot if present, primarily for SNI but there's no use for it */ host->name[len-1]=0; -- 2.40.0