diff options
Diffstat (limited to 'package/network/utils/curl/patches/108-CVE-2017-8817.patch')
-rw-r--r-- | package/network/utils/curl/patches/108-CVE-2017-8817.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/package/network/utils/curl/patches/108-CVE-2017-8817.patch b/package/network/utils/curl/patches/108-CVE-2017-8817.patch new file mode 100644 index 0000000..4b7e79c --- /dev/null +++ b/package/network/utils/curl/patches/108-CVE-2017-8817.patch @@ -0,0 +1,119 @@ +From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 10 Nov 2017 08:52:45 +0100 +Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset + +The code would previous read beyond the end of the pattern string if the +match pattern ends with an open bracket when the default pattern +matching function is used. + +Detected by OSS-Fuzz: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161 + +CVE-2017-8817 + +Bug: https://curl.haxx.se/docs/adv_2017-ae72.html +--- + lib/curl_fnmatch.c | 9 +++------ + tests/data/Makefile.inc | 2 +- + tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 56 insertions(+), 7 deletions(-) + create mode 100644 tests/data/test1163 + +--- a/lib/curl_fnmatch.c ++++ b/lib/curl_fnmatch.c +@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, + unsigned char c; + for(;;) { + c = **p; ++ if(!c) ++ return SETCHARSET_FAIL; ++ + switch(state) { + case CURLFNM_SCHS_DEFAULT: + if(ISALNUM(c)) { /* ASCII value */ +@@ -197,9 +200,6 @@ static int setcharset(unsigned char **p, + else + return SETCHARSET_FAIL; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else { + charset[c] = 1; + (*p)++; +@@ -278,9 +278,6 @@ static int setcharset(unsigned char **p, + else if(c == ']') { + return SETCHARSET_OK; + } +- else if(c == '\0') { +- return SETCHARSET_FAIL; +- } + else if(ISPRINT(c)) { + charset[c] = 1; + (*p)++; +--- a/tests/data/Makefile.inc ++++ b/tests/data/Makefile.inc +@@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test + test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \ + test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \ + test1144 \ ++test1163 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \ + test1216 test1217 test1218 test1219 \ +--- /dev/null ++++ b/tests/data/test1163 +@@ -0,0 +1,52 @@ ++<testcase> ++<info> ++<keywords> ++FTP ++RETR ++LIST ++wildcardmatch ++ftplistparser ++flaky ++</keywords> ++</info> ++ ++# ++# Server-side ++<reply> ++<data> ++</data> ++</reply> ++ ++# Client-side ++<client> ++<server> ++ftp ++</server> ++<tool> ++lib576 ++</tool> ++<name> ++FTP wildcard with pattern ending with an open-bracket ++</name> ++<command> ++"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][" ++</command> ++</client> ++<verify> ++<protocol> ++USER anonymous ++PASS ftp@example.com ++PWD ++CWD fully_simulated ++CWD DOS ++EPSV ++TYPE A ++LIST ++QUIT ++</protocol> ++# 78 == CURLE_REMOTE_FILE_NOT_FOUND ++<errorcode> ++78 ++</errorcode> ++</verify> ++</testcase> |