diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2014-10-17 12:59:32 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2014-11-05 08:05:14 +0100 |
| commit | b3875606925536f82fc61f3114ac42f29eaf6945 (patch) | |
| tree | 229666d262222b2f34967e00fb5300ec69cda258 /lib/strdup.c | |
| parent | d997c8b2f6521d78c6ef63411cfeb226f7927281 (diff) | |
curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds
When duplicating a handle, the data to post was duplicated using
strdup() when it could be binary and contain zeroes and it was not even
zero terminated! This caused read out of bounds crashes/segfaults.
Since the lib/strdup.c file no longer is easily shared with the curl
tool with this change, it now uses its own version instead.
Bug: http://curl.haxx.se/docs/adv_20141105.html
CVE: CVE-2014-3707
Reported-By: Symeon Paraschoudis
Diffstat (limited to 'lib/strdup.c')
| -rw-r--r-- | lib/strdup.c | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/lib/strdup.c b/lib/strdup.c index 3b776b184..4b5bd4042 100644 --- a/lib/strdup.c +++ b/lib/strdup.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -19,12 +19,12 @@ * KIND, either express or implied. * ***************************************************************************/ -/* - * This file is 'mem-include-scan' clean. See test 1132. - */ #include "curl_setup.h" - #include "strdup.h" +#include "curl_memory.h" + +/* The last #include file should be: */ +#include "memdebug.h" #ifndef HAVE_STRDUP char *curlx_strdup(const char *str) @@ -50,3 +50,25 @@ char *curlx_strdup(const char *str) } #endif + +/*************************************************************************** + * + * Curl_memdup(source, length) + * + * Copies the 'source' data to a newly allocated buffer (that is + * returned). Copies 'length' bytes. + * + * Returns the new pointer or NULL on failure. + * + ***************************************************************************/ +char *Curl_memdup(const char *src, size_t length) +{ + char *buffer = malloc(length); + if(!buffer) + return NULL; /* fail */ + + memcpy(buffer, src, length); + + /* if length unknown do null termination */ + return buffer; +} |