From d2f1a8bdce9d77a277d05adae025d369c1bdd9e6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 22 May 2015 10:28:21 +0200
Subject: [PATCH] SMB: rangecheck values read off incoming packet
CVE-2015-3237
Detected by Coverity. CID 1299430.
Bug: http://curl.haxx.se/docs/adv_20150617B.html
---
lib/smb.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/lib/smb.c b/lib/smb.c
index 8cb3503..d461a71 100644
--- a/lib/smb.c
+++ b/lib/smb.c
@@ -781,13 +781,19 @@ static CURLcode smb_request_state(struct connectdata *conn, bool *done)
len = Curl_read16_le(((unsigned char *) msg) +
sizeof(struct smb_header) + 11);
off = Curl_read16_le(((unsigned char *) msg) +
sizeof(struct smb_header) + 13);
if(len > 0) {
- result = Curl_client_write(conn, CLIENTWRITE_BODY,
- (char *)msg + off + sizeof(unsigned int),
- len);
+ struct smb_conn *smbc = &conn->proto.smbc;
+ if(off + sizeof(unsigned int) + len > smbc->got) {
+ failf(conn->data, "Invalid input packet");
+ result = CURLE_RECV_ERROR;
+ }
+ else
+ result = Curl_client_write(conn, CLIENTWRITE_BODY,
+ (char *)msg + off + sizeof(unsigned int),
+ len);
if(result) {
req->result = result;
next_state = SMB_CLOSE;
break;
}
--
2.1.4
distrib
>
Mageia
>
5
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
67078878a4913478b07175fca0ac19af
>
files
>
12
