Blame SOURCES/0016-curl-7.76.1-CVE-2022-32208.patch

372e18
From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
372e18
From: Daniel Stenberg <daniel@haxx.se>
372e18
Date: Thu, 9 Jun 2022 09:27:24 +0200
372e18
Subject: [PATCH] krb5: return error properly on decode errors
372e18
372e18
Bug: https://curl.se/docs/CVE-2022-32208.html
372e18
CVE-2022-32208
372e18
Reported-by: Harry Sintonen
372e18
Closes #9051
372e18
372e18
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
372e18
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
372e18
---
372e18
 lib/krb5.c | 18 +++++++++++-------
372e18
 1 file changed, 11 insertions(+), 7 deletions(-)
372e18
372e18
diff --git a/lib/krb5.c b/lib/krb5.c
372e18
index 787137c..6f9e1f7 100644
372e18
--- a/lib/krb5.c
372e18
+++ b/lib/krb5.c
372e18
@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len,
372e18
   enc.value = buf;
372e18
   enc.length = len;
372e18
   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
372e18
-  if(maj != GSS_S_COMPLETE) {
372e18
-    if(len >= 4)
372e18
-      strcpy(buf, "599 ");
372e18
+  if(maj != GSS_S_COMPLETE)
372e18
     return -1;
372e18
-  }
372e18
 
372e18
   memcpy(buf, dec.value, dec.length);
372e18
   len = curlx_uztosi(dec.length);
372e18
@@ -523,6 +520,7 @@ static CURLcode read_data(struct connectdata *conn,
372e18
 {
372e18
   int len;
372e18
   CURLcode result;
372e18
+  int nread;
372e18
 
372e18
   result = socket_read(fd, &len, sizeof(len));
372e18
   if(result)
372e18
@@ -531,7 +529,10 @@ static CURLcode read_data(struct connectdata *conn,
372e18
   if(len) {
372e18
     /* only realloc if there was a length */
372e18
     len = ntohl(len);
372e18
-    buf->data = Curl_saferealloc(buf->data, len);
372e18
+    if(len > CURL_MAX_INPUT_LENGTH)
372e18
+      len = 0;
372e18
+    else
372e18
+      buf->data = Curl_saferealloc(buf->data, len);
372e18
   }
372e18
   if(!len || !buf->data)
372e18
     return CURLE_OUT_OF_MEMORY;
372e18
@@ -539,8 +540,11 @@ static CURLcode read_data(struct connectdata *conn,
372e18
   result = socket_read(fd, buf->data, len);
372e18
   if(result)
372e18
     return result;
372e18
-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
372e18
-                                 conn->data_prot, conn);
372e18
+  nread = conn->mech->decode(conn->app_data, buf->data, len,
372e18
+                             conn->data_prot, conn);
372e18
+  if(nread < 0)
372e18
+    return CURLE_RECV_ERROR;
372e18
+  buf->size = (size_t)nread;
372e18
   buf->index = 0;
372e18
   return CURLE_OK;
372e18
 }
372e18
-- 
372e18
2.35.3
372e18