File curl-CVE-2019-5482.patch of Package curl.13027
From 0846bdc0c3f8323b931247ca31c2fb30a3265f00 Mon Sep 17 00:00:00 2001
From: Thomas Vegas <>
Date: Sat, 31 Aug 2019 17:30:51 +0200
Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
received
Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.
---
lib/tftp.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
Index: curl-7.60.0/lib/tftp.c
===================================================================
--- curl-7.60.0.orig/lib/tftp.c
+++ curl-7.60.0/lib/tftp.c
@@ -970,6 +970,7 @@ static CURLcode tftp_connect(struct conn
{
tftp_state_data_t *state;
int blksize, rc;
+ int need_blksize;
blksize = TFTP_BLKSIZE_DEFAULT;
@@ -984,15 +985,20 @@ static CURLcode tftp_connect(struct conn
return CURLE_TFTP_ILLEGAL;
}
+ need_blksize = blksize;
+ /* default size is the fallback when no OACK is received */
+ if(need_blksize < TFTP_BLKSIZE_DEFAULT)
+ need_blksize = TFTP_BLKSIZE_DEFAULT;
+
if(!state->rpacket.data) {
- state->rpacket.data = calloc(1, blksize + 2 + 2);
+ state->rpacket.data = calloc(1, need_blksize + 2 + 2);
if(!state->rpacket.data)
return CURLE_OUT_OF_MEMORY;
}
if(!state->spacket.data) {
- state->spacket.data = calloc(1, blksize + 2 + 2);
+ state->spacket.data = calloc(1, need_blksize + 2 + 2);
if(!state->spacket.data)
return CURLE_OUT_OF_MEMORY;
@@ -1006,7 +1012,7 @@ static CURLcode tftp_connect(struct conn
state->sockfd = state->conn->sock[FIRSTSOCKET];
state->state = TFTP_STATE_START;
state->error = TFTP_ERR_NONE;
- state->blksize = blksize;
+ state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
state->requested_blksize = blksize;
((struct sockaddr *)&state->local_addr)->sa_family =