curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds

When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis
author: Daniel Stenberg <daniel@haxx.se> 2014-10-17 12:59:32 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2014-11-05 08:05:14 +0100
commit: b3875606925536f82fc61f3114ac42f29eaf6945 (patch)
tree: 229666d262222b2f34967e00fb5300ec69cda258 /lib/strdup.h
parent: d997c8b2f6521d78c6ef63411cfeb226f7927281 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/lib/strdup.h b/lib/strdup.h
index 49af9117e..23a71f863 100644
--- a/lib/strdup.h
+++ b/lib/strdup.h
@@ -7,7 +7,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -26,5 +26,6 @@
 #ifndef HAVE_STRDUP
 extern char *curlx_strdup(const char *str);
 #endif
+char *Curl_memdup(const char *src, size_t buffer_length);
 
 #endif /* HEADER_CURL_STRDUP_H */
author	Daniel Stenberg <daniel@haxx.se>	2014-10-17 12:59:32 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2014-11-05 08:05:14 +0100
commit	b3875606925536f82fc61f3114ac42f29eaf6945 (patch)
tree	229666d262222b2f34967e00fb5300ec69cda258 /lib/strdup.h
parent	d997c8b2f6521d78c6ef63411cfeb226f7927281 (diff)