From 9b5e12a5491d2e6b68e0c88ca56f3a9ef9fba400 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Mon, 20 Nov 2017 01:26:19 -0500 Subject: url: fix alignment of ssl_backend_data struct - Align the array of ssl_backend_data on a max 32 byte boundary. 8 is likely to be ok but I went with 32 for posterity should one of the ssl_backend_data structs change to contain a larger sized variable in the future. Prior to this change (since dev 70f1db3, release 7.56) the connectdata structure was undersized by 4 bytes in 32-bit builds with ssl enabled because long long * was mistakenly used for alignment instead of long long, with the intention being an 8 byte boundary. Also long long may not be an available type. The undersized connectdata could lead to oob read/write past the end in what was expected to be the last 4 bytes of the connection's secondary socket https proxy ssl_backend_data struct (the secondary socket in a connection is used by ftp, others?). Closes https://github.com/curl/curl/issues/2093 CVE-2017-8818 Bug: https://curl.haxx.se/docs/adv_2017-af0a.html --- lib/urldata.h | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'lib/urldata.h') diff --git a/lib/urldata.h b/lib/urldata.h index 94f692223..edd1fd9ac 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -1004,16 +1004,6 @@ struct connectdata { char *unix_domain_socket; bool abstract_unix_socket; #endif - -#ifdef USE_SSL - /* - * To avoid multiple malloc() calls, the ssl_connect_data structures - * associated with a connectdata struct are allocated in the same block - * as the latter. This field forces alignment to an 8-byte boundary so - * that this all works. - */ - long long *align_data__do_not_use; -#endif }; /* The end of connectdata. */ -- cgit v1.2.3