diff options
author | JinWang An <jinwang.an@samsung.com> | 2021-02-19 09:10:42 +0900 |
---|---|---|
committer | JinWang An <jinwang.an@samsung.com> | 2021-02-19 09:10:42 +0900 |
commit | 5b6729f7d5a7933ea9f86d11b3bbcd93b4f6d373 (patch) | |
tree | f514736cacdfbc9b9adb1f611e2ce4ea9991a337 | |
parent | 36504903e48df444c6f3db5776527ca1b1f2514d (diff) | |
download | cmake-5b6729f7d5a7933ea9f86d11b3bbcd93b4f6d373.tar.gz cmake-5b6729f7d5a7933ea9f86d11b3bbcd93b4f6d373.tar.bz2 cmake-5b6729f7d5a7933ea9f86d11b3bbcd93b4f6d373.zip |
[CVE-2019-5482] Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3
Change-Id: I42c50d480d494d23af5f6e3419744eb1028708de
Signed-off-by: JinWang An <jinwang.an@samsung.com>
-rw-r--r-- | Utilities/cmcurl/lib/tftp.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/Utilities/cmcurl/lib/tftp.c b/Utilities/cmcurl/lib/tftp.c index 289cda282..d0d9b60f4 100644 --- a/Utilities/cmcurl/lib/tftp.c +++ b/Utilities/cmcurl/lib/tftp.c @@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) { tftp_state_data_t *state; int blksize; + int need_blksize; blksize = TFTP_BLKSIZE_DEFAULT; @@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) return CURLE_TFTP_ILLEGAL; } + need_blksize = blksize; + /* default size is the fallback when no OACK is received */ + if(need_blksize < TFTP_BLKSIZE_DEFAULT) + need_blksize = TFTP_BLKSIZE_DEFAULT; + if(!state->rpacket.data) { - state->rpacket.data = calloc(1, blksize + 2 + 2); + state->rpacket.data = calloc(1, need_blksize + 2 + 2); if(!state->rpacket.data) return CURLE_OUT_OF_MEMORY; } if(!state->spacket.data) { - state->spacket.data = calloc(1, blksize + 2 + 2); + state->spacket.data = calloc(1, need_blksize + 2 + 2); if(!state->spacket.data) return CURLE_OUT_OF_MEMORY; @@ -1010,7 +1016,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) state->state = TFTP_STATE_START; state->error = TFTP_ERR_NONE; state->blksize = blksize; - state->requested_blksize = blksize; + state->requested_blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ ((struct sockaddr *)&state->local_addr)->sa_family = (CURL_SA_FAMILY_T)(conn->ip_addr->ai_family); |