projects / openwrt / openwrt.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
curl: apply CVE 2017-8816 and 2017-8817 security patches
[openwrt/openwrt.git] / package / network / utils / curl / patches / 106-CVE-2017-8817.patch
1 From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
2 From: Daniel Stenberg <daniel@haxx.se>
3 Date: Fri, 10 Nov 2017 08:52:45 +0100
4 Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
5
6 The code would previous read beyond the end of the pattern string if the
7 match pattern ends with an open bracket when the default pattern
8 matching function is used.
9
10 Detected by OSS-Fuzz:
11 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
12
13 CVE-2017-8817
14
15 Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
16 ---
17 lib/curl_fnmatch.c | 9 +++------
18 tests/data/Makefile.inc | 2 +-
19 tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
20 3 files changed, 56 insertions(+), 7 deletions(-)
21 create mode 100644 tests/data/test1163
22
23 diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
24 index da83393b4..8a1e106c4 100644
25 --- a/lib/curl_fnmatch.c
26 +++ b/lib/curl_fnmatch.c
27 @@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
28 unsigned char lastchar = 0;
29 bool something_found = FALSE;
30 unsigned char c;
31 for(;;) {
32 c = **p;
33 + if(!c)
34 + return SETCHARSET_FAIL;
35 +
36 switch(state) {
37 case CURLFNM_SCHS_DEFAULT:
38 if(ISALNUM(c)) { /* ASCII value */
39 rangestart = c;
40 charset[c] = 1;
41 @@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
42 (*p)++;
43 }
44 else
45 return SETCHARSET_FAIL;
46 }
47 - else if(c == '\0') {
48 - return SETCHARSET_FAIL;
49 - }
50 else {
51 charset[c] = 1;
52 (*p)++;
53 something_found = TRUE;
54 }
55 @@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
56 (*p)++;
57 }
58 else if(c == ']') {
59 return SETCHARSET_OK;
60 }
61 - else if(c == '\0') {
62 - return SETCHARSET_FAIL;
63 - }
64 else if(ISPRINT(c)) {
65 charset[c] = 1;
66 (*p)++;
67 state = CURLFNM_SCHS_DEFAULT;
68 }
69 diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
70 index dc1cc03bc..6eb37d81d 100644
71 --- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000
72 +++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000
73 @@ -121,6 +121,7 @@
74 test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
75 test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
76 test1144 \
77 +test1163 \
78 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
79 test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
80 test1216 test1217 test1218 test1219 \
81 diff --git a/tests/data/test1163 b/tests/data/test1163
82 new file mode 100644
83 index 000000000..a109b511b
84 --- /dev/null
85 +++ b/tests/data/test1163
86 @@ -0,0 +1,52 @@
87 +<testcase>
88 +<info>
89 +<keywords>
90 +FTP
91 +RETR
92 +LIST
93 +wildcardmatch
94 +ftplistparser
95 +flaky
96 +</keywords>
97 +</info>
98 +
99 +#
100 +# Server-side
101 +<reply>
102 +<data>
103 +</data>
104 +</reply>
105 +
106 +# Client-side
107 +<client>
108 +<server>
109 +ftp
110 +</server>
111 +<tool>
112 +lib576
113 +</tool>
114 +<name>
115 +FTP wildcard with pattern ending with an open-bracket
116 +</name>
117 +<command>
118 +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
119 +</command>
120 +</client>
121 +<verify>
122 +<protocol>
123 +USER anonymous
124 +PASS ftp@example.com
125 +PWD
126 +CWD fully_simulated
127 +CWD DOS
128 +EPSV
129 +TYPE A
130 +LIST
131 +QUIT
132 +</protocol>
133 +# 78 == CURLE_REMOTE_FILE_NOT_FOUND
134 +<errorcode>
135 +78
136 +</errorcode>
137 +</verify>
138 +</testcase>
139 --
140 2.15.0
141
OpenWrt Source Repository