| From a83dae404feac517695c23ff43ce1e116e2bfbe0 Mon Sep 17 00:00:00 2001 |
| From: Michael Catanzaro <mcatanzaro@gnome.org> |
| Date: Wed, 9 Sep 2020 11:12:02 -0500 |
| Subject: [PATCH] Rewrite url::recvline to be nonrecursive |
| |
| This function processes network input. It's semi-trusted, because the |
| PAC ought to be trusted. But we still shouldn't allow it to control how |
| far we recurse. A malicious PAC can cause us to overflow the stack by |
| sending a sufficiently-long line without any '\n' character. |
| |
| Also, this function failed to properly handle EINTR, so let's fix that |
| too, for good measure. |
| |
| Fixes #134 |
| |
| Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/836c10b60c65e947ff1e10eb02fbcc676d909ffa] |
| CVE: CVE-2020-25219 |
| Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> |
| --- |
| libproxy/url.cpp | 28 ++++++++++++++++++---------- |
| 1 file changed, 18 insertions(+), 10 deletions(-) |
| |
| diff --git a/libproxy/url.cpp b/libproxy/url.cpp |
| index ee776b2..68d69cd 100644 |
| --- a/libproxy/url.cpp |
| +++ b/libproxy/url.cpp |
| @@ -388,16 +388,24 @@ string url::to_string() const { |
| return m_orig; |
| } |
| |
| -static inline string recvline(int fd) { |
| - // Read a character. |
| - // If we don't get a character, return empty string. |
| - // If we are at the end of the line, return empty string. |
| - char c = '\0'; |
| - |
| - if (recv(fd, &c, 1, 0) != 1 || c == '\n') |
| - return ""; |
| - |
| - return string(1, c) + recvline(fd); |
| +static string recvline(int fd) { |
| + string line; |
| + int ret; |
| + |
| + // Reserve arbitrary amount of space to avoid small memory reallocations. |
| + line.reserve(128); |
| + |
| + do { |
| + char c; |
| + ret = recv(fd, &c, 1, 0); |
| + if (ret == 1) { |
| + if (c == '\n') |
| + return line; |
| + line += c; |
| + } |
| + } while (ret == 1 || (ret == -1 && errno == EINTR)); |
| + |
| + return line; |
| } |
| |
| char* url::get_pac() { |