diff options
| author | Timo Teräs <timo.teras@iki.fi> | 2021-07-16 10:54:08 +0300 |
|---|---|---|
| committer | Timo Teräs <timo.teras@iki.fi> | 2021-07-26 14:43:35 +0300 |
| commit | 36048e8fef019c5be938f8a688845b6eef1d46ab (patch) | |
| tree | 0aa34f757463289276b3ccacc5395fdc5decca85 /libfetch/fetch.c | |
| parent | 41a6e4c247e68e906bea1ca7c31f0e8d3b49bc83 (diff) | |
| download | apk-tools-36048e8fef019c5be938f8a688845b6eef1d46ab.tar.gz apk-tools-36048e8fef019c5be938f8a688845b6eef1d46ab.tar.bz2 apk-tools-36048e8fef019c5be938f8a688845b6eef1d46ab.tar.xz apk-tools-36048e8fef019c5be938f8a688845b6eef1d46ab.zip | |
libfetch: fix range checking for http/ftp protocol parsing
Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.
CVE-2021-36159
fixes #10749
Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>
Diffstat (limited to 'libfetch/fetch.c')
| -rw-r--r-- | libfetch/fetch.c | 15 |
1 files changed, 6 insertions, 9 deletions
diff --git a/libfetch/fetch.c b/libfetch/fetch.c index a0d4dbd..45c92aa 100644 --- a/libfetch/fetch.c +++ b/libfetch/fetch.c @@ -473,15 +473,12 @@ find_user: /* port */ if (*p == ':') { - for (q = ++p; *q && (*q != '/'); q++) - if (isdigit((unsigned char)*q)) - u->port = u->port * 10 + (*q - '0'); - else { - /* invalid port */ - url_seterr(URL_BAD_PORT); - goto ouch; - } - p = q; + u->port = fetch_parseuint(p + 1, &p, 10, IPPORT_MAX); + if (*p && *p != '/') { + /* invalid port */ + url_seterr(URL_BAD_PORT); + goto ouch; + } } /* document */ |