package/network/utils/curl/patches/108-CVE-2017-8817.patch

   1 From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Fri, 10 Nov 2017 08:52:45 +0100
   4 Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
   5
   6 The code would previous read beyond the end of the pattern string if the
   7 match pattern ends with an open bracket when the default pattern
   8 matching function is used.
   9
  10 Detected by OSS-Fuzz:
  11 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
  12
  13 CVE-2017-8817
  14
  15 Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
  16 ---
  17  lib/curl_fnmatch.c      |  9 +++------
  18  tests/data/Makefile.inc |  2 +-
  19  tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
  20  3 files changed, 56 insertions(+), 7 deletions(-)
  21  create mode 100644 tests/data/test1163
  22
  23 --- a/lib/curl_fnmatch.c
  24 +++ b/lib/curl_fnmatch.c
  25 @@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
  26    unsigned char c;
  27    for(;;) {
  28      c = **p;
  29 +    if(!c)
  30 +      return SETCHARSET_FAIL;
  31 +
  32      switch(state) {
  33      case CURLFNM_SCHS_DEFAULT:
  34        if(ISALNUM(c)) { /* ASCII value */
  35 @@ -197,9 +200,6 @@ static int setcharset(unsigned char **p,
  36          else
  37            return SETCHARSET_FAIL;
  38        }
  39 -      else if(c == '\0') {
  40 -        return SETCHARSET_FAIL;
  41 -      }
  42        else {
  43          charset[c] = 1;
  44          (*p)++;
  45 @@ -278,9 +278,6 @@ static int setcharset(unsigned char **p,
  46        else if(c == ']') {
  47          return SETCHARSET_OK;
  48        }
  49 -      else if(c == '\0') {
  50 -        return SETCHARSET_FAIL;
  51 -      }
  52        else if(ISPRINT(c)) {
  53          charset[c] = 1;
  54          (*p)++;
  55 --- a/tests/data/Makefile.inc
  56 +++ b/tests/data/Makefile.inc
  57 @@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test
  58  test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
  59  test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
  60  test1144 \
  61 +test1163 \
  62  test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
  63  test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
  64  test1216 test1217 test1218 test1219 \
  65 --- /dev/null
  66 +++ b/tests/data/test1163
  67 @@ -0,0 +1,52 @@
  68 +<testcase>
  69 +<info>
  70 +<keywords>
  71 +FTP
  72 +RETR
  73 +LIST
  74 +wildcardmatch
  75 +ftplistparser
  76 +flaky
  77 +</keywords>
  78 +</info>
  79 +
  80 +#
  81 +# Server-side
  82 +<reply>
  83 +<data>
  84 +</data>
  85 +</reply>
  86 +
  87 +# Client-side
  88 +<client>
  89 +<server>
  90 +ftp
  91 +</server>
  92 +<tool>
  93 +lib576
  94 +</tool>
  95 +<name>
  96 +FTP wildcard with pattern ending with an open-bracket
  97 +</name>
  98 +<command>
  99 +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
 100 +</command>
 101 +</client>
 102 +<verify>
 103 +<protocol>
 104 +USER anonymous
 105 +PASS ftp@example.com
 106 +PWD
 107 +CWD fully_simulated
 108 +CWD DOS
 109 +EPSV
 110 +TYPE A
 111 +LIST
 112 +QUIT
 113 +</protocol>
 114 +# 78 == CURLE_REMOTE_FILE_NOT_FOUND
 115 +<errorcode>
 116 +78
 117 +</errorcode>
 118 +</verify>
 119 +</testcase>