From 24dedf9b260eebb7feae6fc273208b551fe54a79 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 16 May 2022 16:28:13 +0200 Subject: [PATCH 1/2] content_encoding: return error on too many compression steps The max allowed steps is arbitrarily set to 5. Bug: https://curl.se/docs/CVE-2022-32206.html CVE-2022-32206 Reported-by: Harry Sintonen Closes #9049 Upstream-commit: 3a09fbb7f264c67c438d01a30669ce325aa508e2 Signed-off-by: Kamil Dudka --- lib/content_encoding.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/lib/content_encoding.c b/lib/content_encoding.c index c03637a..6f994b3 100644 --- a/lib/content_encoding.c +++ b/lib/content_encoding.c @@ -1024,12 +1024,16 @@ static const struct content_encoding *find_encoding(const char *name, return NULL; } +/* allow no more than 5 "chained" compression steps */ +#define MAX_ENCODE_STACK 5 + /* Set-up the unencoding stack from the Content-Encoding header value. * See RFC 7231 section 3.1.2.2. */ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, const char *enclist, int maybechunked) { struct SingleRequest *k = &data->req; + int counter = 0; do { const char *name; @@ -1064,6 +1068,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, if(!encoding) encoding = &error_encoding; /* Defer error at stack use. */ + if(++counter >= MAX_ENCODE_STACK) { + failf(data, "Reject response due to %u content encodings", + counter); + return CURLE_BAD_CONTENT_ENCODING; + } /* Stack the unencoding stage. */ writer = new_unencoding_writer(data, encoding, k->writer_stack); if(!writer) -- 2.35.3 From b3cd74f01871281f0989860e04c546d896f0e72f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 16 May 2022 16:29:07 +0200 Subject: [PATCH 2/2] test387: verify rejection of compression chain attack Upstream-commit: 7230b19a2e17a164f61f82e4e409a9777ea2421a Signed-off-by: Kamil Dudka --- tests/data/Makefile.inc | 1 + tests/data/test387 | 53 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 tests/data/test387 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 98d5516..9b5f4fb 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -62,6 +62,7 @@ test343 test344 test345 test346 test347 test348 test349 test350 test351 \ test352 test353 test354 test355 test356 test357 test358 test359 test360 \ test361 test362 \ \ +test387 \ test393 test394 test395 test396 test397 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ diff --git a/tests/data/test387 b/tests/data/test387 new file mode 100644 index 0000000..015ec25 --- /dev/null +++ b/tests/data/test387 @@ -0,0 +1,53 @@ + + + +HTTP +gzip + + + +# +# Server-side + + +HTTP/1.1 200 OK +Transfer-Encoding: gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip,gzip + +-foo- + + + +# +# Client-side + + +http + + +Response with overly long compression chain + + +http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS + + + +# +# Verify data after the test has been "shot" + + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* + + + +# CURLE_BAD_CONTENT_ENCODING is 61 + +61 + + +curl: (61) Reject response due to 5 content encodings + + + -- 2.35.3