{"id":"CURL-CVE-2015-3237","summary":"SMB send off unrelated memory contents","details":"libcurl can get tricked by a malicious SMB server to send off data it did not\nintend to.\n\nIn libcurl's state machine function handling the SMB protocol\n(`smb_request_state()`), two length and offset values are extracted from data\nthat has arrived over the network, and those values are subsequently used to\nfigure out what data range to send back.\n\nThe values are used and trusted without boundary checks and are just assumed\nto be valid. This allows carefully handcrafted packages to trick libcurl into\nresponding and sending off data that was not intended. Or just crash if the\nvalues cause libcurl to access invalid memory.","aliases":["CVE-2015-3237"],"modified":"2024-01-25T02:42:45.603687Z","published":"2015-06-17T08:00:00Z","database_specific":{"CWE":{"desc":"Buffer Over-read","id":"CWE-126"},"package":"curl","last_affected":"7.42.1","URL":"https://curl.se/docs/CVE-2015-3237.json","affects":"both","www":"https://curl.se/docs/CVE-2015-3237.html","severity":"High"},"affected":[{"ranges":[{"type":"SEMVER","events":[{"introduced":"7.40.0"},{"fixed":"7.43.0"}]},{"type":"GIT","repo":"https://github.com/curl/curl.git","events":[{"introduced":"e80d9d5902f38407d971587f2a6b7b839247ca92"},{"fixed":"50c7f17e503fbab5081b69c97f9d4645389b9270"}]}],"versions":["7.42.1","7.42.0","7.41.0","7.40.0"],"database_specific":{"vanir_signatures":[{"target":{"file":"lib/smb.c"},"signature_type":"Line","digest":{"line_hashes":["133709591701469678183633004515703879137","275971352638128819471138387032967939445","126077310330602836890399135254576876122","174908122469919804202893443409697812314","60081792177254282548318352902677282523","278682513450920856603214751427433535182"],"threshold":0.9},"source":"https://github.com/curl/curl.git/commit/50c7f17e503fbab5081b69c97f9d4645389b9270","signature_version":"v1","deprecated":false,"id":"CURL-CVE-2015-3237-adb1a990"},{"target":{"function":"smb_request_state","file":"lib/smb.c"},"signature_type":"Function","digest":{"length":3226,"function_hash":"143572682265013568568942217572854695151"},"source":"https://github.com/curl/curl.git/commit/50c7f17e503fbab5081b69c97f9d4645389b9270","signature_version":"v1","deprecated":false,"id":"CURL-CVE-2015-3237-d07220c2"}],"source":"https://curl.se/docs/CURL-CVE-2015-3237.json"}}],"schema_version":"1.7.3","credits":[{"name":"Daniel Stenberg","type":"FINDER"},{"name":"Daniel Stenberg","type":"REMEDIATION_DEVELOPER"}]}