[CVE-2019-5482] Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3

Change-Id: I42c50d480d494d23af5f6e3419744eb1028708de
Signed-off-by: JinWang An <jinwang.an@samsung.com>

1 files changed, 9 insertions, 3 deletions

diff --git a/Utilities/cmcurl/lib/tftp.c b/Utilities/cmcurl/lib/tftp.c
index 289cda282..d0d9b60f4 100644
--- a/Utilities/cmcurl/lib/tftp.c
+++ b/Utilities/cmcurl/lib/tftp.c
@@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
 {
   tftp_state_data_t *state;
   int blksize;
+  int need_blksize;
 
   blksize = TFTP_BLKSIZE_DEFAULT;
 
@@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
       return CURLE_TFTP_ILLEGAL;
   }
 
+  need_blksize = blksize;
+  /* default size is the fallback when no OACK is received */
+  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
+    need_blksize = TFTP_BLKSIZE_DEFAULT;
+
   if(!state->rpacket.data) {
-    state->rpacket.data = calloc(1, blksize + 2 + 2);
+    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
 
     if(!state->rpacket.data)
       return CURLE_OUT_OF_MEMORY;
   }
 
   if(!state->spacket.data) {
-    state->spacket.data = calloc(1, blksize + 2 + 2);
+    state->spacket.data = calloc(1, need_blksize + 2 + 2);
 
     if(!state->spacket.data)
       return CURLE_OUT_OF_MEMORY;
@@ -1010,7 +1016,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
   state->state = TFTP_STATE_START;
   state->error = TFTP_ERR_NONE;
   state->blksize = blksize;
-  state->requested_blksize = blksize;
+  state->requested_blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
 
   ((struct sockaddr *)&state->local_addr)->sa_family =
     (CURL_SA_FAMILY_T)(conn->ip_addr->ai_family);