6160b9ad9b
OBS-URL: https://build.opensuse.org/request/show/536249 OBS-URL: https://build.opensuse.org/package/show/network:utilities/wget?expand=0&rev=80
35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From 28925c37b72867c0819799c6f35caf9439080f83 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
|
|
Date: Fri, 20 Oct 2017 15:15:47 +0200
|
|
Subject: [PATCH 2/2] Fix heap overflow in HTTP protocol handling
|
|
(CVE-2017-13090)
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
* src/retr.c (fd_read_body): Stop processing on negative chunk size
|
|
|
|
Reported-by: Antti Levomäki, Christian Jalio, Joonas Pihlaja from Forcepoint
|
|
Reported-by: Juhani Eronen from Finnish National Cyber Security Centre
|
|
---
|
|
src/retr.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/src/retr.c b/src/retr.c
|
|
index a27d58af..723ac725 100644
|
|
--- a/src/retr.c
|
|
+++ b/src/retr.c
|
|
@@ -378,6 +378,12 @@ fd_read_body (const char *downloaded_filename, int fd, FILE *out, wgint toread,
|
|
remaining_chunk_size = strtol (line, &endl, 16);
|
|
xfree (line);
|
|
|
|
+ if (remaining_chunk_size < 0)
|
|
+ {
|
|
+ ret = -1;
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (remaining_chunk_size == 0)
|
|
{
|
|
ret = 0;
|