From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 12 Jun 2021 18:25:15 +0200 Subject: [PATCH] telnet: fix option parser to not send uninitialized contents CVE-2021-22925 Reported-by: Red Hat Product Security Bug: https://curl.se/docs/CVE-2021-22925.html Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a Signed-off-by: Kamil Dudka --- lib/telnet.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/telnet.c b/lib/telnet.c index ea6bc71..f8428b8 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) size_t tmplen = (strlen(v->data) + 1); /* Add the variable only if it fits */ if(len + tmplen < (int)sizeof(temp)-6) { - if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { - snprintf((char *)&temp[len], sizeof(temp) - len, - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, - CURL_NEW_ENV_VALUE, varval); - len += tmplen; - } + int rv; + char sep[2] = ""; + varval[0] = 0; + rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); + if(rv == 1) + len += snprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s", CURL_NEW_ENV_VAR, varname); + else if(rv >= 2) + len += snprintf((char *)&temp[len], sizeof(temp) - len, + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, + CURL_NEW_ENV_VALUE, varval); } } snprintf((char *)&temp[len], sizeof(temp) - len, -- 2.31.1