author | Mike Sullivan <Mike.Sullivan@Oracle.COM> |
Fri, 13 May 2016 17:33:30 -0700 | |
changeset 5983 | f10ab5ae99d7 |
parent 1590 | 07e597d0017b |
permissions | -rw-r--r-- |
1590
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
1 |
CVE-2012-0804 - Fix proxy response parser |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
2 |
|
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
3 |
If proxy sends overlong HTTP vesion string, the string will be copied |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
4 |
to unallocatd space (write_buf) causing heap overflow. |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
5 |
|
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
6 |
This patch fixes it by ignoring the HTTP version string and checking |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
7 |
the response line has been parsed correctly. |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
8 |
|
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
9 |
See <https://bugzilla.redhat.com/show_bug.cgi?id=773699> for more |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
10 |
details. |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
11 |
|
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
12 |
--- cvs-1.12.13/src/client.c.orig 2013-12-09 13:26:55.209065160 -0800 |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
13 |
+++ cvs-1.12.13/src/client.c 2013-12-09 13:32:25.632884394 -0800 |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
14 |
@@ -3558,9 +3558,9 @@ |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
15 |
* code. |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
16 |
*/ |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
17 |
read_line_via (from_server, to_server, &read_buf); |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
18 |
- sscanf (read_buf, "%s %d", write_buf, &codenum); |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
19 |
+ count = sscanf (read_buf, "%*s %d", &codenum); |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
20 |
|
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
21 |
- if ((codenum / 100) != 2) |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
22 |
+ if (count != 1 || (codenum / 100) != 2) |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
23 |
error (1, 0, "proxy server %s:%d does not support http tunnelling", |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
24 |
root->proxy_hostname, proxy_port_number); |
07e597d0017b
17562742 problem in UTILITY/CVS
Rich Burridge <rich.burridge@oracle.com>
parents:
diff
changeset
|
25 |
free (read_buf); |