|
 |
a55ea0 |
From d36661703e16bd740a3a928041b1e697a6617b98 Mon Sep 17 00:00:00 2001
|
|
|
a55ea0 |
From: Daniel Stenberg <daniel@haxx.se>
|
|
|
a55ea0 |
Date: Thu, 9 Jun 2022 09:27:24 +0200
|
|
|
a55ea0 |
Subject: [PATCH] krb5: return error properly on decode errors
|
|
|
a55ea0 |
|
|
|
a55ea0 |
Bug: https://curl.se/docs/CVE-2022-32208.html
|
|
|
a55ea0 |
CVE-2022-32208
|
|
|
a55ea0 |
Reported-by: Harry Sintonen
|
|
|
a55ea0 |
Closes #9051
|
|
|
a55ea0 |
|
|
|
a55ea0 |
Upstream-commit: 6ecdf5136b52af747e7bda08db9a748256b1cd09
|
|
|
a55ea0 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
a55ea0 |
---
|
|
|
a55ea0 |
lib/krb5.c | 5 +----
|
|
|
a55ea0 |
lib/security.c | 19 +++++++++++++++----
|
|
|
a55ea0 |
2 files changed, 16 insertions(+), 8 deletions(-)
|
|
|
a55ea0 |
|
|
|
a55ea0 |
diff --git a/lib/krb5.c b/lib/krb5.c
|
|
|
a55ea0 |
index 787137c..6f9e1f7 100644
|
|
|
a55ea0 |
--- a/lib/krb5.c
|
|
|
a55ea0 |
+++ b/lib/krb5.c
|
|
|
a55ea0 |
@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
|
|
|
a55ea0 |
enc.value = buf;
|
|
|
a55ea0 |
enc.length = len;
|
|
|
a55ea0 |
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
|
|
|
a55ea0 |
- if(maj != GSS_S_COMPLETE) {
|
|
|
a55ea0 |
- if(len >= 4)
|
|
|
a55ea0 |
- strcpy(buf, "599 ");
|
|
|
a55ea0 |
+ if(maj != GSS_S_COMPLETE)
|
|
|
a55ea0 |
return -1;
|
|
|
a55ea0 |
- }
|
|
|
a55ea0 |
|
|
|
a55ea0 |
memcpy(buf, dec.value, dec.length);
|
|
|
a55ea0 |
len = curlx_uztosi(dec.length);
|
|
|
a55ea0 |
diff --git a/lib/security.c b/lib/security.c
|
|
|
a55ea0 |
index 52cce97..c95f290 100644
|
|
|
a55ea0 |
--- a/lib/security.c
|
|
|
a55ea0 |
+++ b/lib/security.c
|
|
|
a55ea0 |
@@ -64,6 +64,10 @@
|
|
|
a55ea0 |
/* The last #include file should be: */
|
|
|
a55ea0 |
#include "memdebug.h"
|
|
|
a55ea0 |
|
|
|
a55ea0 |
+/* Max string input length is a precaution against abuse and to detect junk
|
|
|
a55ea0 |
+ input easier and better. */
|
|
|
a55ea0 |
+#define CURL_MAX_INPUT_LENGTH 8000000
|
|
|
a55ea0 |
+
|
|
|
a55ea0 |
static const struct {
|
|
|
a55ea0 |
enum protection_level level;
|
|
|
a55ea0 |
const char *name;
|
|
|
a55ea0 |
@@ -192,6 +196,7 @@ static CURLcode read_data(struct connectdata *conn,
|
|
|
a55ea0 |
{
|
|
|
a55ea0 |
int len;
|
|
|
a55ea0 |
CURLcode result;
|
|
|
a55ea0 |
+ int nread;
|
|
|
a55ea0 |
|
|
|
a55ea0 |
result = socket_read(fd, &len, sizeof(len));
|
|
|
a55ea0 |
if(result)
|
|
|
a55ea0 |
@@ -200,7 +205,10 @@ static CURLcode read_data(struct connectdata *conn,
|
|
|
a55ea0 |
if(len) {
|
|
|
a55ea0 |
/* only realloc if there was a length */
|
|
|
a55ea0 |
len = ntohl(len);
|
|
|
a55ea0 |
- buf->data = Curl_saferealloc(buf->data, len);
|
|
|
a55ea0 |
+ if(len > CURL_MAX_INPUT_LENGTH)
|
|
|
a55ea0 |
+ len = 0;
|
|
|
a55ea0 |
+ else
|
|
|
a55ea0 |
+ buf->data = Curl_saferealloc(buf->data, len);
|
|
|
a55ea0 |
}
|
|
|
a55ea0 |
if(!len || !buf->data)
|
|
|
a55ea0 |
return CURLE_OUT_OF_MEMORY;
|
|
|
a55ea0 |
@@ -208,8 +216,11 @@ static CURLcode read_data(struct connectdata *conn,
|
|
|
a55ea0 |
result = socket_read(fd, buf->data, len);
|
|
|
a55ea0 |
if(result)
|
|
|
a55ea0 |
return result;
|
|
|
a55ea0 |
- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
|
|
|
a55ea0 |
- conn->data_prot, conn);
|
|
|
a55ea0 |
+ nread = conn->mech->decode(conn->app_data, buf->data, len,
|
|
|
a55ea0 |
+ conn->data_prot, conn);
|
|
|
a55ea0 |
+ if(nread < 0)
|
|
|
a55ea0 |
+ return CURLE_RECV_ERROR;
|
|
|
a55ea0 |
+ buf->size = (size_t)nread;
|
|
|
a55ea0 |
buf->index = 0;
|
|
|
a55ea0 |
return CURLE_OK;
|
|
|
a55ea0 |
}
|
|
|
a55ea0 |
--
|
|
|
a55ea0 |
2.35.3
|
|
|
a55ea0 |
|