mirror of
https://git.yoctoproject.org/poky
synced 2026-05-09 17:39:31 +00:00
curl: Fix CVE-2022-42915
HTTP proxy double-free Link: https://security-tracker.debian.org/tracker/CVE-2022-42915 (From OE-Core rev: 4754f33d7ec96f72351853463540c8b1a3f4bc0c) Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Bhabu Bindu
committed by
Richard Purdie
Richard Purdie
parent
b1ea1218bd
commit
bfec99ed33
@@ -0,0 +1,53 @@
|
|||||||
|
From 55e1875729f9d9fc7315cec611bffbd2c817ad89 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Stenberg <daniel@haxx.se>
|
||||||
|
Date: Thu, 6 Oct 2022 14:13:36 +0200
|
||||||
|
Subject: [PATCH] http_proxy: restore the protocol pointer on error
|
||||||
|
|
||||||
|
Reported-by: Trail of Bits
|
||||||
|
|
||||||
|
Closes #9790
|
||||||
|
|
||||||
|
CVE: CVE-2022-42915
|
||||||
|
Upstream-Status: Backport [https://github.com/curl/curl/commit/55e1875729f9d9fc7315cec611bffbd2c817ad89]
|
||||||
|
Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com>
|
||||||
|
---
|
||||||
|
lib/http_proxy.c | 6 ++----
|
||||||
|
lib/url.c | 9 ---------
|
||||||
|
2 files changed, 2 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/http_proxy.c b/lib/http_proxy.c
|
||||||
|
index 1f87f6c62aa40..cc20b3a801941 100644
|
||||||
|
--- a/lib/http_proxy.c
|
||||||
|
+++ b/lib/http_proxy.c
|
||||||
|
@@ -212,10 +212,8 @@ void Curl_connect_done(struct Curl_easy *data)
|
||||||
|
Curl_dyn_free(&s->rcvbuf);
|
||||||
|
Curl_dyn_free(&s->req);
|
||||||
|
|
||||||
|
- /* restore the protocol pointer, if not already done */
|
||||||
|
- if(s->prot_save)
|
||||||
|
- data->req.p.http = s->prot_save;
|
||||||
|
- s->prot_save = NULL;
|
||||||
|
+ /* restore the protocol pointer */
|
||||||
|
+ data->req.p.http = s->prot_save;
|
||||||
|
data->info.httpcode = 0; /* clear it as it might've been used for the
|
||||||
|
proxy */
|
||||||
|
data->req.ignorebody = FALSE;
|
||||||
|
diff --git a/lib/url.c b/lib/url.c
|
||||||
|
index 690c53c81a3c1..be5ffca2d8b20 100644
|
||||||
|
--- a/lib/url.c
|
||||||
|
+++ b/lib/url.c
|
||||||
|
@@ -751,15 +751,6 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
|
||||||
|
DEBUGASSERT(data);
|
||||||
|
infof(data, "Closing connection %ld", conn->connection_id);
|
||||||
|
|
||||||
|
-#ifndef USE_HYPER
|
||||||
|
- if(conn->connect_state && conn->connect_state->prot_save) {
|
||||||
|
- /* If this was closed with a CONNECT in progress, cleanup this temporary
|
||||||
|
- struct arrangement */
|
||||||
|
- data->req.p.http = NULL;
|
||||||
|
- Curl_safefree(conn->connect_state->prot_save);
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
-
|
||||||
|
/* possible left-overs from the async name resolvers */
|
||||||
|
Curl_resolver_cancel(data);
|
||||||
@@ -31,6 +31,7 @@ SRC_URI = "https://curl.se/download/${BP}.tar.xz \
|
|||||||
file://CVE-2022-35252.patch \
|
file://CVE-2022-35252.patch \
|
||||||
file://CVE-2022-32221.patch \
|
file://CVE-2022-32221.patch \
|
||||||
file://CVE-2022-42916.patch \
|
file://CVE-2022-42916.patch \
|
||||||
|
file://CVE-2022-42915.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
|
SRC_URI[sha256sum] = "0aaa12d7bd04b0966254f2703ce80dd5c38dbbd76af0297d3d690cdce58a583c"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user