Resolves: CVE-2016-8623 - fix use-after-free via shared cookies
This commit is contained in:
parent
8cc82f17a1
commit
6e32112b9a
|
@ -0,0 +1,174 @@
|
||||||
|
From 86936c59e634a4662912a3b40bcc01d214249e55 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Tue, 4 Oct 2016 23:26:13 +0200
|
||||||
|
Subject: [PATCH] cookies: getlist() now holds deep copies of all cookies
|
||||||
|
|
||||||
|
Previously it only held references to them, which was reckless as the
|
||||||
|
thread lock was released so the cookies could get modified by other
|
||||||
|
handles that share the same cookie jar over the share interface.
|
||||||
|
|
||||||
|
CVE-2016-8623
|
||||||
|
|
||||||
|
Bug: https://curl.haxx.se/docs/adv_20161102I.html
|
||||||
|
Reported-by: Cure53
|
||||||
|
|
||||||
|
Upstream-commit: c5be3d7267c725dbd093ff3a883e07ee8cf2a1d5
|
||||||
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||||
|
---
|
||||||
|
lib/cookie.c | 61 +++++++++++++++++++++++++++++++++++++++---------------------
|
||||||
|
lib/cookie.h | 4 ++--
|
||||||
|
lib/http.c | 2 +-
|
||||||
|
3 files changed, 43 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||||
|
index e5c7b7e..7a60411 100644
|
||||||
|
--- a/lib/cookie.c
|
||||||
|
+++ b/lib/cookie.c
|
||||||
|
@@ -1013,6 +1013,40 @@ static int cookie_sort(const void *p1, const void *p2)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#define CLONE(field) \
|
||||||
|
+ do { \
|
||||||
|
+ if(src->field) { \
|
||||||
|
+ dup->field = strdup(src->field); \
|
||||||
|
+ if(!dup->field) \
|
||||||
|
+ goto fail; \
|
||||||
|
+ } \
|
||||||
|
+ } while(0)
|
||||||
|
+
|
||||||
|
+static struct Cookie *dup_cookie(struct Cookie *src)
|
||||||
|
+{
|
||||||
|
+ struct Cookie *dup = calloc(sizeof(struct Cookie), 1);
|
||||||
|
+ if(dup) {
|
||||||
|
+ CLONE(expirestr);
|
||||||
|
+ CLONE(domain);
|
||||||
|
+ CLONE(path);
|
||||||
|
+ CLONE(spath);
|
||||||
|
+ CLONE(name);
|
||||||
|
+ CLONE(value);
|
||||||
|
+ CLONE(maxage);
|
||||||
|
+ CLONE(version);
|
||||||
|
+ dup->expires = src->expires;
|
||||||
|
+ dup->tailmatch = src->tailmatch;
|
||||||
|
+ dup->secure = src->secure;
|
||||||
|
+ dup->livecookie = src->livecookie;
|
||||||
|
+ dup->httponly = src->httponly;
|
||||||
|
+ }
|
||||||
|
+ return dup;
|
||||||
|
+
|
||||||
|
+ fail:
|
||||||
|
+ freecookie(dup);
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*****************************************************************************
|
||||||
|
*
|
||||||
|
* Curl_cookie_getlist()
|
||||||
|
@@ -1068,11 +1102,8 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
|
||||||
|
/* and now, we know this is a match and we should create an
|
||||||
|
entry for the return-linked-list */
|
||||||
|
|
||||||
|
- newco = malloc(sizeof(struct Cookie));
|
||||||
|
+ newco = dup_cookie(co);
|
||||||
|
if(newco) {
|
||||||
|
- /* first, copy the whole source cookie: */
|
||||||
|
- memcpy(newco, co, sizeof(struct Cookie));
|
||||||
|
-
|
||||||
|
/* then modify our next */
|
||||||
|
newco->next = mainco;
|
||||||
|
|
||||||
|
@@ -1084,12 +1115,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
|
||||||
|
else {
|
||||||
|
fail:
|
||||||
|
/* failure, clear up the allocated chain and return NULL */
|
||||||
|
- while(mainco) {
|
||||||
|
- co = mainco->next;
|
||||||
|
- free(mainco);
|
||||||
|
- mainco = co;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
+ Curl_cookie_freelist(mainco);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1141,7 +1167,7 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c,
|
||||||
|
void Curl_cookie_clearall(struct CookieInfo *cookies)
|
||||||
|
{
|
||||||
|
if(cookies) {
|
||||||
|
- Curl_cookie_freelist(cookies->cookies, TRUE);
|
||||||
|
+ Curl_cookie_freelist(cookies->cookies);
|
||||||
|
cookies->cookies = NULL;
|
||||||
|
cookies->numcookies = 0;
|
||||||
|
}
|
||||||
|
@@ -1153,21 +1179,14 @@ void Curl_cookie_clearall(struct CookieInfo *cookies)
|
||||||
|
*
|
||||||
|
* Free a list of cookies previously returned by Curl_cookie_getlist();
|
||||||
|
*
|
||||||
|
- * The 'cookiestoo' argument tells this function whether to just free the
|
||||||
|
- * list or actually also free all cookies within the list as well.
|
||||||
|
- *
|
||||||
|
****************************************************************************/
|
||||||
|
|
||||||
|
-void Curl_cookie_freelist(struct Cookie *co, bool cookiestoo)
|
||||||
|
+void Curl_cookie_freelist(struct Cookie *co)
|
||||||
|
{
|
||||||
|
struct Cookie *next;
|
||||||
|
while(co) {
|
||||||
|
next = co->next;
|
||||||
|
- if(cookiestoo)
|
||||||
|
- freecookie(co);
|
||||||
|
- else
|
||||||
|
- free(co); /* we only free the struct since the "members" are all just
|
||||||
|
- pointed out in the main cookie list! */
|
||||||
|
+ freecookie(co);
|
||||||
|
co = next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -1222,7 +1241,7 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
|
||||||
|
{
|
||||||
|
if(c) {
|
||||||
|
free(c->filename);
|
||||||
|
- Curl_cookie_freelist(c->cookies, TRUE);
|
||||||
|
+ Curl_cookie_freelist(c->cookies);
|
||||||
|
free(c); /* free the base struct as well */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/lib/cookie.h b/lib/cookie.h
|
||||||
|
index 74a9224..ecfece2 100644
|
||||||
|
--- a/lib/cookie.h
|
||||||
|
+++ b/lib/cookie.h
|
||||||
|
@@ -7,7 +7,7 @@
|
||||||
|
* | (__| |_| | _ <| |___
|
||||||
|
* \___|\___/|_| \_\_____|
|
||||||
|
*
|
||||||
|
- * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
+ * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||||
|
*
|
||||||
|
* This software is licensed as described in the file COPYING, which
|
||||||
|
* you should have received as part of this distribution. The terms
|
||||||
|
@@ -82,7 +82,7 @@ struct Cookie *Curl_cookie_add(struct SessionHandle *data,
|
||||||
|
|
||||||
|
struct Cookie *Curl_cookie_getlist(struct CookieInfo *, const char *,
|
||||||
|
const char *, bool);
|
||||||
|
-void Curl_cookie_freelist(struct Cookie *cookies, bool cookiestoo);
|
||||||
|
+void Curl_cookie_freelist(struct Cookie *cookies);
|
||||||
|
void Curl_cookie_clearall(struct CookieInfo *cookies);
|
||||||
|
void Curl_cookie_clearsess(struct CookieInfo *cookies);
|
||||||
|
|
||||||
|
diff --git a/lib/http.c b/lib/http.c
|
||||||
|
index 53c6cf8..f9a82c8 100644
|
||||||
|
--- a/lib/http.c
|
||||||
|
+++ b/lib/http.c
|
||||||
|
@@ -2384,7 +2384,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done)
|
||||||
|
}
|
||||||
|
co = co->next; /* next cookie please */
|
||||||
|
}
|
||||||
|
- Curl_cookie_freelist(store, FALSE); /* free the cookie list */
|
||||||
|
+ Curl_cookie_freelist(store);
|
||||||
|
}
|
||||||
|
if(addcookies && !result) {
|
||||||
|
if(!count)
|
||||||
|
--
|
||||||
|
2.7.4
|
||||||
|
|
|
@ -31,6 +31,9 @@ Patch12: 0012-curl-7.47.1-CVE-2016-7167.patch
|
||||||
# urlparse: accept '#' as end of host name (CVE-2016-8624)
|
# urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||||
Patch13: 0013-curl-7.47.1-CVE-2016-8624.patch
|
Patch13: 0013-curl-7.47.1-CVE-2016-8624.patch
|
||||||
|
|
||||||
|
# fix use-after-free via shared cookies (CVE-2016-8623)
|
||||||
|
Patch14: 0014-curl-7.47.1-CVE-2016-8623.patch
|
||||||
|
|
||||||
# patch making libcurl multilib ready
|
# patch making libcurl multilib ready
|
||||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||||
|
|
||||||
|
@ -152,6 +155,7 @@ documentation of the library, too.
|
||||||
%patch11 -p1
|
%patch11 -p1
|
||||||
%patch12 -p1
|
%patch12 -p1
|
||||||
%patch13 -p1
|
%patch13 -p1
|
||||||
|
%patch14 -p1
|
||||||
|
|
||||||
# Fedora patches
|
# Fedora patches
|
||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
|
@ -268,6 +272,7 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-9
|
||||||
|
- fix use-after-free via shared cookies (CVE-2016-8623)
|
||||||
- urlparse: accept '#' as end of host name (CVE-2016-8624)
|
- urlparse: accept '#' as end of host name (CVE-2016-8624)
|
||||||
- run autoreconf in %%prep to avoid patching Makefile.in files from now on
|
- run autoreconf in %%prep to avoid patching Makefile.in files from now on
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue