diff options
author | Gordon Tetlow <gordon@FreeBSD.org> | 2020-01-28 18:37:18 +0000 |
---|---|---|
committer | Gordon Tetlow <gordon@FreeBSD.org> | 2020-01-28 18:37:18 +0000 |
commit | 6fb3f9944faefa41b322b5e1bc0d280b4005ca44 (patch) | |
tree | cd445a8b6f5ebdc0a60e5e1ab4922ddbf98fac9f /lib/libfetch | |
parent | 95e6640be2eaed01e9186f1a437b5863b851285d (diff) | |
download | src-test-6fb3f9944faefa41b322b5e1bc0d280b4005ca44.tar.gz src-test-6fb3f9944faefa41b322b5e1bc0d280b4005ca44.zip |
Fix urldecode buffer overrun.
Reported by: Duncan Overbruck
Security: CVE-2020-7450
Notes
Notes:
svn path=/head/; revision=357212
Diffstat (limited to 'lib/libfetch')
-rw-r--r-- | lib/libfetch/fetch.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/libfetch/fetch.c b/lib/libfetch/fetch.c index b3ed702b3185c..9eec0730fa7df 100644 --- a/lib/libfetch/fetch.c +++ b/lib/libfetch/fetch.c @@ -332,6 +332,8 @@ fetch_pctdecode(char *dst, const char *src, size_t dlen) } if (dlen-- > 0) *dst++ = c; + else + return (NULL); } return (s); } @@ -381,11 +383,15 @@ fetchParseURL(const char *URL) if (p && *p == '@') { /* username */ q = fetch_pctdecode(u->user, URL, URL_USERLEN); + if (q == NULL) + goto ouch; /* password */ - if (*q == ':') + if (*q == ':') { q = fetch_pctdecode(u->pwd, q + 1, URL_PWDLEN); - + if (q == NULL) + goto ouch; + } p++; } else { p = URL; |