Overview

File openconnect-CVE-2019-16239.patch of Package openconnect.14956

Index: openconnect-7.08/http.c
===================================================================
--- openconnect-7.08.orig/http.c
+++ openconnect-7.08/http.c
@@ -521,7 +521,8 @@ int process_http_response(struct opencon
 	} else if (bodylen == BODY_CHUNKED) {
 		/* ... else, chunked */
 		while ((i = vpninfo->ssl_gets(vpninfo, buf, sizeof(buf)))) {
-			int chunklen, lastchunk = 0;
+			int lastchunk = 0;
+			long chunklen;
 
 			if (i < 0) {
 				vpn_progress(vpninfo, PRG_ERR,
@@ -533,6 +534,18 @@ int process_http_response(struct opencon
 				lastchunk = 1;
 				goto skip;
 			}
+			if (chunklen < 0) {
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("HTTP chunk length is negative (%ld)\n"), chunklen);
+				openconnect_close_https(vpninfo, 0);
+				return -EINVAL;
+			}
+			if (chunklen >= INT_MAX) {
+				vpn_progress(vpninfo, PRG_ERR,
+					     _("HTTP chunk length is too large (%ld)\n"), chunklen);
+				openconnect_close_https(vpninfo, 0);
+				return -EINVAL;
+			}
 			if (buf_ensure_space(body, chunklen + 1))
 				return buf_error(body);
 			while (chunklen) {
openSUSE Build Service is sponsored by
Places