File openconnect-CVE-2019-16239.patch of Package openconnect.14956
Index: openconnect-7.08/http.c
===================================================================
--- openconnect-7.08.orig/http.c
+++ openconnect-7.08/http.c
@@ -521,7 +521,8 @@ int process_http_response(struct opencon
} else if (bodylen == BODY_CHUNKED) {
/* ... else, chunked */
while ((i = vpninfo->ssl_gets(vpninfo, buf, sizeof(buf)))) {
- int chunklen, lastchunk = 0;
+ int lastchunk = 0;
+ long chunklen;
if (i < 0) {
vpn_progress(vpninfo, PRG_ERR,
@@ -533,6 +534,18 @@ int process_http_response(struct opencon
lastchunk = 1;
goto skip;
}
+ if (chunklen < 0) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("HTTP chunk length is negative (%ld)\n"), chunklen);
+ openconnect_close_https(vpninfo, 0);
+ return -EINVAL;
+ }
+ if (chunklen >= INT_MAX) {
+ vpn_progress(vpninfo, PRG_ERR,
+ _("HTTP chunk length is too large (%ld)\n"), chunklen);
+ openconnect_close_https(vpninfo, 0);
+ return -EINVAL;
+ }
if (buf_ensure_space(body, chunklen + 1))
return buf_error(body);
while (chunklen) {