diff options
author | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
---|---|---|
committer | ToshikazuOhiwa <toshikazu_ohiwa@mail.toyota.co.jp> | 2020-03-30 09:24:26 +0900 |
commit | 5b80bfd7bffd4c20d80b7c70a7130529e9a755dd (patch) | |
tree | b4bb18dcd1487dbf1ea8127e5671b7bb2eded033 /external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch | |
parent | 706ad73eb02caf8532deaf5d38995bd258725cb8 (diff) |
agl-basesystem
Diffstat (limited to 'external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch')
-rw-r--r-- | external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch | 200 |
1 files changed, 200 insertions, 0 deletions
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch new file mode 100644 index 00000000..8ac55545 --- /dev/null +++ b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch @@ -0,0 +1,200 @@ +From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 29 Apr 2019 08:00:49 +0200 +Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size + +This limits all accepted input strings passed to libcurl to be less than +CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: +curl_easy_setopt() and curl_url_set(). + +The 8000000 number is arbitrary picked and is meant to detect mistakes +or abuse, not to limit actual practical use cases. By limiting the +acceptable string lengths we also reduce the risk of integer overflows +all over. + +NOTE: This does not apply to `CURLOPT_POSTFIELDS`. + +Test 1559 verifies. + +Closes #3805 + +Upstream-Status: Backport +Dropped a few changes to apply against this version +https://github.com/curl/curl/commit/5fc28510a4664f4 + +CVE: CVE-2019-5435 +affects: libcurl 7.19.4 to and including 7.64.1 +Signed-off-by: Armin Kuster <akuster@mvista.com> + +--- + lib/setopt.c | 7 +++++ + lib/urldata.h | 4 +++ + 7 files changed, 146 insertions(+), 3 deletions(-) + create mode 100644 tests/data/test1559 + create mode 100644 tests/libtest/lib1559.c + +Index: curl-7.61.0/lib/setopt.c +=================================================================== +--- curl-7.61.0.orig/lib/setopt.c ++++ curl-7.61.0/lib/setopt.c +@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, co + if(s) { + char *str = strdup(s); + ++ if(str) { ++ size_t len = strlen(str); ++ if(len > CURL_MAX_INPUT_LENGTH) { ++ free(str); ++ return CURLE_BAD_FUNCTION_ARGUMENT; ++ } ++ } + if(!str) + return CURLE_OUT_OF_MEMORY; + +Index: curl-7.61.0/lib/urldata.h +=================================================================== +--- curl-7.61.0.orig/lib/urldata.h ++++ curl-7.61.0/lib/urldata.h +@@ -79,6 +79,10 @@ + */ + #define RESP_TIMEOUT (1800*1000) + ++/* Max string intput length is a precaution against abuse and to detect junk ++ input easier and better. */ ++#define CURL_MAX_INPUT_LENGTH 8000000 ++ + #include "cookie.h" + #include "psl.h" + #include "formdata.h" +Index: curl-7.61.0/tests/data/test1559 +=================================================================== +--- /dev/null ++++ curl-7.61.0/tests/data/test1559 +@@ -0,0 +1,44 @@ ++<testcase> ++<info> ++<keywords> ++CURLOPT_URL ++</keywords> ++</info> ++ ++<reply> ++</reply> ++ ++<client> ++<server> ++none ++</server> ++ ++# require HTTP so that CURLOPT_POSTFIELDS works as assumed ++<features> ++http ++</features> ++<tool> ++lib1559 ++</tool> ++ ++<name> ++Set excessive URL lengths ++</name> ++</client> ++ ++# ++# Verify that the test runs to completion without crashing ++<verify> ++<errorcode> ++0 ++</errorcode> ++<stdout> ++CURLOPT_URL 10000000 bytes URL == 43 ++CURLOPT_POSTFIELDS 10000000 bytes data == 0 ++CURLUPART_URL 10000000 bytes URL == 3 ++CURLUPART_SCHEME 10000000 bytes scheme == 3 ++CURLUPART_USER 10000000 bytes user == 3 ++</stdout> ++</verify> ++ ++</testcase> +Index: curl-7.61.0/tests/libtest/lib1559.c +=================================================================== +--- /dev/null ++++ curl-7.61.0/tests/libtest/lib1559.c +@@ -0,0 +1,78 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at https://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++#define EXCESSIVE 10*1000*1000 ++int test(char *URL) ++{ ++ CURLcode res = 0; ++ CURL *curl = NULL; ++ char *longurl = malloc(EXCESSIVE); ++ CURLU *u; ++ (void)URL; ++ ++ memset(longurl, 'a', EXCESSIVE); ++ longurl[EXCESSIVE-1] = 0; ++ ++ global_init(CURL_GLOBAL_ALL); ++ easy_init(curl); ++ ++ res = curl_easy_setopt(curl, CURLOPT_URL, longurl); ++ printf("CURLOPT_URL %d bytes URL == %d\n", ++ EXCESSIVE, (int)res); ++ ++ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl); ++ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n", ++ EXCESSIVE, (int)res); ++ ++ u = curl_url(); ++ if(u) { ++ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0); ++ printf("CURLUPART_URL %d bytes URL == %d\n", ++ EXCESSIVE, (int)uc); ++ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME); ++ printf("CURLUPART_SCHEME %d bytes scheme == %d\n", ++ EXCESSIVE, (int)uc); ++ uc = curl_url_set(u, CURLUPART_USER, longurl, 0); ++ printf("CURLUPART_USER %d bytes user == %d\n", ++ EXCESSIVE, (int)uc); ++ curl_url_cleanup(u); ++ } ++ ++ free(longurl); ++ ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return 0; ++ ++test_cleanup: ++ ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ ++ return res; /* return the final return code */ ++} |