libcurl can get tricked by a malicious SMB server to send off data it did not intend to.
In libcurl's state machine function handling the SMB protocol
(smb_request_state()
), two length and offset values are extracted from data
that has arrived over the network, and those values are subsequently used to
figure out what data range to send back.
The values are used and trusted without boundary checks and are just assumed to be valid. This allows carefully handcrafted packages to trick libcurl into responding and sending off data that was not intended. Or just crash if the values cause libcurl to access invalid memory.
{ "CWE": { "id": "CWE-126", "desc": "Buffer Over-read" }, "package": "curl", "URL": "https://curl.se/docs/CVE-2015-3237.json", "severity": "High", "www": "https://curl.se/docs/CVE-2015-3237.html", "last_affected": "7.42.1" }