Attachment 625842 Details for Bug 864612 – libproxy 0.3 patch

[patch] libproxy 0.3 patch

libproxy-0.3-CVE-2012-4505.diff (text/plain), 1.09 KB, created by Tomas Hoger on 2012-10-12 07:59:23 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Tomas Hoger

Created: 2012-10-12 07:59:23 UTC

Size: 1.09 KB

patch

obsolete

>diff -pruN libproxy-0.3.0.orig/src/lib/pac.c libproxy-0.3.0/src/lib/pac.c
>--- libproxy-0.3.0.orig/src/lib/pac.c	2009-08-14 21:00:32.000000000 +0200
>+++ libproxy-0.3.0/src/lib/pac.c	2012-10-12 09:40:39.440795952 +0200
>@@ -35,6 +35,9 @@
> 
> #define PAC_MIME_TYPE "application/x-ns-proxy-autoconfig"
> 
>+// This is the maximum pac size (to avoid memory attacks)
>+#define PAC_MAX_SIZE 102400
>+
> /**
>  * ProxyAutoConfig object.  All fields are private.
>  */
>@@ -159,12 +162,15 @@ px_pac_reload(pxPAC *self)
> 		}
> 
> 		/* Get content */
>-		if (!content_length || !correct_mime_type) goto error;
>+		if (content_length == 0 || content_length > PAC_MAX_SIZE || !correct_mime_type) goto error;
> 		px_free(line); line = NULL;
> 		px_free(self->cache);
> 		self->cache = px_malloc0(content_length+1);
>-		for (int recvd=0 ; recvd != content_length ; )
>-			recvd += recv(sock, self->cache + recvd, content_length - recvd, 0);
>+		for (int recvd=0 ; recvd != content_length ; ) {
>+			int r = recv(sock, self->cache + recvd, content_length - recvd, 0);
>+			if (r <= 0) goto error;
>+			recvd += r;
>+		}
> 	}
> 	else
> 	{ /* file:// url */

Actions: View | Diff

Attachments on bug 864612: 625842