diff options
Diffstat (limited to 'external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch')
| -rw-r--r-- | external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch | 200 |
1 files changed, 0 insertions, 200 deletions
diff --git a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch b/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch deleted file mode 100644 index 8ac55545..00000000 --- a/external/poky/meta/recipes-support/curl/curl/CVE-2019-5435.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Mon, 29 Apr 2019 08:00:49 +0200 -Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size - -This limits all accepted input strings passed to libcurl to be less than -CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls: -curl_easy_setopt() and curl_url_set(). - -The 8000000 number is arbitrary picked and is meant to detect mistakes -or abuse, not to limit actual practical use cases. By limiting the -acceptable string lengths we also reduce the risk of integer overflows -all over. - -NOTE: This does not apply to `CURLOPT_POSTFIELDS`. - -Test 1559 verifies. - -Closes #3805 - -Upstream-Status: Backport -Dropped a few changes to apply against this version -https://github.com/curl/curl/commit/5fc28510a4664f4 - -CVE: CVE-2019-5435 -affects: libcurl 7.19.4 to and including 7.64.1 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - lib/setopt.c | 7 +++++ - lib/urldata.h | 4 +++ - 7 files changed, 146 insertions(+), 3 deletions(-) - create mode 100644 tests/data/test1559 - create mode 100644 tests/libtest/lib1559.c - -Index: curl-7.61.0/lib/setopt.c -=================================================================== ---- curl-7.61.0.orig/lib/setopt.c -+++ curl-7.61.0/lib/setopt.c -@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, co - if(s) { - char *str = strdup(s); - -+ if(str) { -+ size_t len = strlen(str); -+ if(len > CURL_MAX_INPUT_LENGTH) { -+ free(str); -+ return CURLE_BAD_FUNCTION_ARGUMENT; -+ } -+ } - if(!str) - return CURLE_OUT_OF_MEMORY; - -Index: curl-7.61.0/lib/urldata.h -=================================================================== ---- curl-7.61.0.orig/lib/urldata.h -+++ curl-7.61.0/lib/urldata.h -@@ -79,6 +79,10 @@ - */ - #define RESP_TIMEOUT (1800*1000) - -+/* Max string intput length is a precaution against abuse and to detect junk -+ input easier and better. */ -+#define CURL_MAX_INPUT_LENGTH 8000000 -+ - #include "cookie.h" - #include "psl.h" - #include "formdata.h" -Index: curl-7.61.0/tests/data/test1559 -=================================================================== ---- /dev/null -+++ curl-7.61.0/tests/data/test1559 -@@ -0,0 +1,44 @@ -+<testcase> -+<info> -+<keywords> -+CURLOPT_URL -+</keywords> -+</info> -+ -+<reply> -+</reply> -+ -+<client> -+<server> -+none -+</server> -+ -+# require HTTP so that CURLOPT_POSTFIELDS works as assumed -+<features> -+http -+</features> -+<tool> -+lib1559 -+</tool> -+ -+<name> -+Set excessive URL lengths -+</name> -+</client> -+ -+# -+# Verify that the test runs to completion without crashing -+<verify> -+<errorcode> -+0 -+</errorcode> -+<stdout> -+CURLOPT_URL 10000000 bytes URL == 43 -+CURLOPT_POSTFIELDS 10000000 bytes data == 0 -+CURLUPART_URL 10000000 bytes URL == 3 -+CURLUPART_SCHEME 10000000 bytes scheme == 3 -+CURLUPART_USER 10000000 bytes user == 3 -+</stdout> -+</verify> -+ -+</testcase> -Index: curl-7.61.0/tests/libtest/lib1559.c -=================================================================== ---- /dev/null -+++ curl-7.61.0/tests/libtest/lib1559.c -@@ -0,0 +1,78 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at https://curl.haxx.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+#include "test.h" -+ -+#include "testutil.h" -+#include "warnless.h" -+#include "memdebug.h" -+ -+#define EXCESSIVE 10*1000*1000 -+int test(char *URL) -+{ -+ CURLcode res = 0; -+ CURL *curl = NULL; -+ char *longurl = malloc(EXCESSIVE); -+ CURLU *u; -+ (void)URL; -+ -+ memset(longurl, 'a', EXCESSIVE); -+ longurl[EXCESSIVE-1] = 0; -+ -+ global_init(CURL_GLOBAL_ALL); -+ easy_init(curl); -+ -+ res = curl_easy_setopt(curl, CURLOPT_URL, longurl); -+ printf("CURLOPT_URL %d bytes URL == %d\n", -+ EXCESSIVE, (int)res); -+ -+ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl); -+ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n", -+ EXCESSIVE, (int)res); -+ -+ u = curl_url(); -+ if(u) { -+ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0); -+ printf("CURLUPART_URL %d bytes URL == %d\n", -+ EXCESSIVE, (int)uc); -+ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME); -+ printf("CURLUPART_SCHEME %d bytes scheme == %d\n", -+ EXCESSIVE, (int)uc); -+ uc = curl_url_set(u, CURLUPART_USER, longurl, 0); -+ printf("CURLUPART_USER %d bytes user == %d\n", -+ EXCESSIVE, (int)uc); -+ curl_url_cleanup(u); -+ } -+ -+ free(longurl); -+ -+ curl_easy_cleanup(curl); -+ curl_global_cleanup(); -+ -+ return 0; -+ -+test_cleanup: -+ -+ curl_easy_cleanup(curl); -+ curl_global_cleanup(); -+ -+ return res; /* return the final return code */ -+} |