curl: fix some security problems
[openwrt/openwrt.git] / package / network / utils / curl / patches / 108-CVE-2017-8817.patch
1 From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Fri, 10 Nov 2017 08:52:45 +0100
4 Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
5
6 The code would previous read beyond the end of the pattern string if the
7 match pattern ends with an open bracket when the default pattern
8 matching function is used.
9
10 Detected by OSS-Fuzz:
11 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
12
13 CVE-2017-8817
14
15 Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
16 ---
17 lib/curl_fnmatch.c | 9 +++------
18 tests/data/Makefile.inc | 2 +-
19 tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
20 3 files changed, 56 insertions(+), 7 deletions(-)
21 create mode 100644 tests/data/test1163
22
23 --- a/lib/curl_fnmatch.c
24 +++ b/lib/curl_fnmatch.c
25 @@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
26 unsigned char c;
27 for(;;) {
28 c = **p;
29 + if(!c)
30 + return SETCHARSET_FAIL;
31 +
32 switch(state) {
33 case CURLFNM_SCHS_DEFAULT:
34 if(ISALNUM(c)) { /* ASCII value */
35 @@ -197,9 +200,6 @@ static int setcharset(unsigned char **p,
36 else
37 return SETCHARSET_FAIL;
38 }
39 - else if(c == '\0') {
40 - return SETCHARSET_FAIL;
41 - }
42 else {
43 charset[c] = 1;
44 (*p)++;
45 @@ -278,9 +278,6 @@ static int setcharset(unsigned char **p,
46 else if(c == ']') {
47 return SETCHARSET_OK;
48 }
49 - else if(c == '\0') {
50 - return SETCHARSET_FAIL;
51 - }
52 else if(ISPRINT(c)) {
53 charset[c] = 1;
54 (*p)++;
55 --- a/tests/data/Makefile.inc
56 +++ b/tests/data/Makefile.inc
57 @@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test
58 test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
59 test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
60 test1144 \
61 +test1163 \
62 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
63 test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
64 test1216 test1217 test1218 test1219 \
65 --- /dev/null
66 +++ b/tests/data/test1163
67 @@ -0,0 +1,52 @@
68 +<testcase>
69 +<info>
70 +<keywords>
71 +FTP
72 +RETR
73 +LIST
74 +wildcardmatch
75 +ftplistparser
76 +flaky
77 +</keywords>
78 +</info>
79 +
80 +#
81 +# Server-side
82 +<reply>
83 +<data>
84 +</data>
85 +</reply>
86 +
87 +# Client-side
88 +<client>
89 +<server>
90 +ftp
91 +</server>
92 +<tool>
93 +lib576
94 +</tool>
95 +<name>
96 +FTP wildcard with pattern ending with an open-bracket
97 +</name>
98 +<command>
99 +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
100 +</command>
101 +</client>
102 +<verify>
103 +<protocol>
104 +USER anonymous
105 +PASS ftp@example.com
106 +PWD
107 +CWD fully_simulated
108 +CWD DOS
109 +EPSV
110 +TYPE A
111 +LIST
112 +QUIT
113 +</protocol>
114 +# 78 == CURLE_REMOTE_FILE_NOT_FOUND
115 +<errorcode>
116 +78
117 +</errorcode>
118 +</verify>
119 +</testcase>