53 lines
1.9 KiB
Diff
53 lines
1.9 KiB
Diff
From 97d64d270d094d02a686dfe0d80e232df66d92e6 Mon Sep 17 00:00:00 2001
|
|
From: leizhongkai <leizhongkai@huawei.com>
|
|
Date: Wed, 5 Jun 2019 12:00:48 +0800
|
|
Subject: [PATCH 1/2] busybox: fix CVE-2018-1000517
|
|
|
|
reason:fix CVE-2018-1000517
|
|
cherry-pick from https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
|
|
see https://nvd.nist.gov/vuln/detail/CVE-2018-1000517 for more details
|
|
|
|
Signed-off-by: leizhongkai <leizhongkai@huawei.com>
|
|
---
|
|
networking/wget.c | 13 +++++++++++--
|
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/networking/wget.c b/networking/wget.c
|
|
index d1d8523..309b983 100644
|
|
--- a/networking/wget.c
|
|
+++ b/networking/wget.c
|
|
@@ -641,7 +641,7 @@ static FILE* prepare_ftp_session(FILE **dfpp, struct host_info *target, len_and_
|
|
if (ftpcmd("SIZE ", target->path, sfp) == 213) {
|
|
G.content_len = BB_STRTOOFF(G.wget_buf + 4, NULL, 10);
|
|
if (G.content_len < 0 || errno) {
|
|
- bb_error_msg_and_die("SIZE value is garbage");
|
|
+ bb_error_msg_and_die("bad SIZE value '%s'", G.wget_buf + 4);
|
|
}
|
|
G.got_clen = 1;
|
|
}
|
|
@@ -924,11 +924,20 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
|
|
if (!G.chunked)
|
|
break;
|
|
|
|
+ /* Each chunk ends with "\r\n" - eat it */
|
|
+ fgets_trim_sanitize(dfp, NULL);
|
|
fgets_and_trim(dfp, NULL); /* Eat empty line */
|
|
get_clen:
|
|
+ /* chunk size format is "HEXNUM[;name[=val]]\r\n" */
|
|
fgets_and_trim(dfp, NULL);
|
|
+ errno = 0;
|
|
G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
|
|
- /* FIXME: error check? */
|
|
+ /*
|
|
+ * Had a bug with inputs like "ffffffff0001f400"
|
|
+ * smashing the heap later. Ensure >= 0.
|
|
+ */
|
|
+ if (G.content_len < 0 || errno)
|
|
+ bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
|
|
if (G.content_len == 0)
|
|
break; /* all done! */
|
|
G.got_clen = 1;
|
|
--
|
|
1.8.3.1
|
|
|