curl_easy_duphandle: CURLOPT_COPYPOSTFIELDS read out of bounds

When duplicating a handle, the data to post was duplicated using strdup() when it could be binary and contain zeroes and it was not even zero terminated! This caused read out of bounds crashes/segfaults. Since the lib/strdup.c file no longer is easily shared with the curl tool with this change, it now uses its own version instead. Bug: http://curl.haxx.se/docs/adv_20141105.html CVE: CVE-2014-3707 Reported-By: Symeon Paraschoudis
author: Daniel Stenberg <daniel@haxx.se> 2014-10-17 12:59:32 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2014-11-05 08:05:14 +0100
commit: b3875606925536f82fc61f3114ac42f29eaf6945 (patch)
tree: 229666d262222b2f34967e00fb5300ec69cda258 /src/Makefile.inc
parent: d997c8b2f6521d78c6ef63411cfeb226f7927281 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/Makefile.inc b/src/Makefile.inc
index 64d55ecf9..401a635ad 100644
--- a/src/Makefile.inc
+++ b/src/Makefile.inc
@@ -11,7 +11,6 @@
 # the official API, but we re-use the code here to avoid duplication.
 CURLX_CFILES = \
 	../lib/strtoofft.c \
-	../lib/strdup.c \
 	../lib/rawstr.c \
 	../lib/nonblock.c \
 	../lib/warnless.c
@@ -19,7 +18,6 @@ CURLX_CFILES = \
 CURLX_HFILES = \
 	../lib/curl_setup.h \
 	../lib/strtoofft.h \
-	../lib/strdup.h \
 	../lib/rawstr.h \
 	../lib/nonblock.h \
 	../lib/warnless.h
@@ -55,6 +53,7 @@ CURL_CFILES = \
 	tool_panykey.c \
 	tool_paramhlp.c \
 	tool_parsecfg.c \
+	tool_strdup.c \
 	tool_setopt.c \
 	tool_sleep.c \
 	tool_urlglob.c \
@@ -99,6 +98,7 @@ CURL_HFILES = \
 	tool_setopt.h \
 	tool_setup.h \
 	tool_sleep.h \
+	tool_strdup.h \
 	tool_urlglob.h \
 	tool_util.h \
 	tool_version.h \
author	Daniel Stenberg <daniel@haxx.se>	2014-10-17 12:59:32 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2014-11-05 08:05:14 +0100
commit	b3875606925536f82fc61f3114ac42f29eaf6945 (patch)
tree	229666d262222b2f34967e00fb5300ec69cda258 /src/Makefile.inc
parent	d997c8b2f6521d78c6ef63411cfeb226f7927281 (diff)