aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/curl/curl/CVE-2016-8623.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2016-8623.patch')
-rw-r--r--meta/recipes-support/curl/curl/CVE-2016-8623.patch174
1 files changed, 174 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2016-8623.patch b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
new file mode 100644
index 0000000000..17eaf2b7ee
--- /dev/null
+++ b/meta/recipes-support/curl/curl/CVE-2016-8623.patch
@@ -0,0 +1,174 @@
+From d9d57fe0da6f25d05570fd583520ecd321ed9c3f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 4 Oct 2016 23:26:13 +0200
+Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
+
+Previously it only held references to them, which was reckless as the
+thread lock was released so the cookies could get modified by other
+handles that share the same cookie jar over the share interface.
+
+CVE-2016-8623
+
+Bug: https://curl.haxx.se/docs/adv_20161102I.html
+Reported-by: Cure53
+
+Upstream-Status: Backport
+https://curl.haxx.se/CVE-2016-8623.patch
+CVE: CVE-2016-8623
+Signed-off-by: Thiruvadi Rajaraman <trajaraman@mvista.com>
+
+---
+ lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
+ lib/cookie.h | 4 ++--
+ lib/http.c | 2 +-
+ 3 files changed, 43 insertions(+), 24 deletions(-)
+
+Index: curl-7.44.0/lib/cookie.c
+===================================================================
+--- curl-7.44.0.orig/lib/cookie.c
++++ curl-7.44.0/lib/cookie.c
+@@ -1019,6 +1019,40 @@ static int cookie_sort(const void *p1, c
+ return 0;
+ }
+
++#define CLONE(field) \
++ do { \
++ if(src->field) { \
++ dup->field = strdup(src->field); \
++ if(!dup->field) \
++ goto fail; \
++ } \
++ } while(0)
++
++static struct Cookie *dup_cookie(struct Cookie *src)
++{
++ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
++ if(dup) {
++ CLONE(expirestr);
++ CLONE(domain);
++ CLONE(path);
++ CLONE(spath);
++ CLONE(name);
++ CLONE(value);
++ CLONE(maxage);
++ CLONE(version);
++ dup->expires = src->expires;
++ dup->tailmatch = src->tailmatch;
++ dup->secure = src->secure;
++ dup->livecookie = src->livecookie;
++ dup->httponly = src->httponly;
++ }
++ return dup;
++
++ fail:
++ freecookie(dup);
++ return NULL;
++}
++
+ /*****************************************************************************
+ *
+ * Curl_cookie_getlist()
+@@ -1074,11 +1108,8 @@ struct Cookie *Curl_cookie_getlist(struc
+ /* and now, we know this is a match and we should create an
+ entry for the return-linked-list */
+
+- newco = malloc(sizeof(struct Cookie));
++ newco = dup_cookie(co);
+ if(newco) {
+- /* first, copy the whole source cookie: */
+- memcpy(newco, co, sizeof(struct Cookie));
+-
+ /* then modify our next */
+ newco->next = mainco;
+
+@@ -1090,12 +1121,7 @@ struct Cookie *Curl_cookie_getlist(struc
+ else {
+ fail:
+ /* failure, clear up the allocated chain and return NULL */
+- while(mainco) {
+- co = mainco->next;
+- free(mainco);
+- mainco = co;
+- }
+-
++ Curl_cookie_freelist(mainco);
+ return NULL;
+ }
+ }
+@@ -1147,7 +1173,7 @@ struct Cookie *Curl_cookie_getlist(struc
+ void Curl_cookie_clearall(struct CookieInfo *cookies)
+ {
+ if(cookies) {
+- Curl_cookie_freelist(cookies->cookies, TRUE);
++ Curl_cookie_freelist(cookies->cookies);
+ cookies->cookies = NULL;
+ cookies->numcookies = 0;
+ }
+@@ -1159,21 +1185,14 @@ void Curl_cookie_clearall(struct CookieI
+ *
+ * Free a list of cookies previously returned by Curl_cookie_getlist();
+ *
+- * The 'cookiestoo' argument tells this function whether to just free the
+- * list or actually also free all cookies within the list as well.
+- *
+ ****************************************************************************/
+
+-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
++void Curl_cookie_freelist(struct Cookie *co)
+ {
+ struct Cookie *next;
+ while(co) {
+ next = co->next;
+- if(cookiestoo)
+- freecookie(co);
+- else
+- free(co); /* we only free the struct since the "members" are all just
+- pointed out in the main cookie list! */
++ freecookie(co);
+ co = next;
+ }
+ }
+@@ -1228,7 +1247,7 @@ void Curl_cookie_cleanup(struct CookieIn
+ {
+ if(c) {
+ free(c->filename);
+- Curl_cookie_freelist(c->cookies, TRUE);
++ Curl_cookie_freelist(c->cookies);
+ free(c); /* free the base struct as well */
+ }
+ }
+Index: curl-7.44.0/lib/cookie.h
+===================================================================
+--- curl-7.44.0.orig/lib/cookie.h
++++ curl-7.44.0/lib/cookie.h
+@@ -7,7 +7,7 @@
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct Se
+
+ struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
+ const char *, bool);
+-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
++void Curl_cookie_freelist(struct Cookie *cookies);
+ void Curl_cookie_clearall(struct CookieInfo *cookies);
+ void Curl_cookie_clearsess(struct CookieInfo *cookies);
+
+Index: curl-7.44.0/lib/http.c
+===================================================================
+--- curl-7.44.0.orig/lib/http.c
++++ curl-7.44.0/lib/http.c
+@@ -2371,7 +2371,7 @@ CURLcode Curl_http(struct connectdata *c
+ }
+ co = co->next; /* next cookie please */
+ }
+- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
++ Curl_cookie_freelist(store);
+ }
+ if(addcookies && !result) {
+ if(!count)