diff options
Diffstat (limited to 'meta/recipes-support/curl/curl/CVE-2022-32208.patch')
-rw-r--r-- | meta/recipes-support/curl/curl/CVE-2022-32208.patch | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/meta/recipes-support/curl/curl/CVE-2022-32208.patch b/meta/recipes-support/curl/curl/CVE-2022-32208.patch new file mode 100644 index 0000000000..2939314d09 --- /dev/null +++ b/meta/recipes-support/curl/curl/CVE-2022-32208.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Stenberg <daniel@haxx.se> | ||
3 | Date: Thu, 9 Jun 2022 09:27:24 +0200 | ||
4 | Subject: [PATCH] krb5: return error properly on decode errors | ||
5 | |||
6 | Bug: https://curl.se/docs/CVE-2022-32208.html | ||
7 | CVE-2022-32208 | ||
8 | Reported-by: Harry Sintonen | ||
9 | Closes #9051 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7] | ||
12 | Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> | ||
13 | --- | ||
14 | lib/krb5.c | 5 +---- | ||
15 | lib/security.c | 13 ++++++++++--- | ||
16 | 2 files changed, 11 insertions(+), 7 deletions(-) | ||
17 | |||
18 | diff --git a/lib/krb5.c b/lib/krb5.c | ||
19 | index f50287a..5b77e35 100644 | ||
20 | --- a/lib/krb5.c | ||
21 | +++ b/lib/krb5.c | ||
22 | @@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len, | ||
23 | enc.value = buf; | ||
24 | enc.length = len; | ||
25 | maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); | ||
26 | - if(maj != GSS_S_COMPLETE) { | ||
27 | - if(len >= 4) | ||
28 | - strcpy(buf, "599 "); | ||
29 | + if(maj != GSS_S_COMPLETE) | ||
30 | return -1; | ||
31 | - } | ||
32 | |||
33 | memcpy(buf, dec.value, dec.length); | ||
34 | len = curlx_uztosi(dec.length); | ||
35 | diff --git a/lib/security.c b/lib/security.c | ||
36 | index fbfa707..3542210 100644 | ||
37 | --- a/lib/security.c | ||
38 | +++ b/lib/security.c | ||
39 | @@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn, | ||
40 | { | ||
41 | int len; | ||
42 | CURLcode result; | ||
43 | + int nread; | ||
44 | |||
45 | result = socket_read(fd, &len, sizeof(len)); | ||
46 | if(result) | ||
47 | @@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn, | ||
48 | if(len) { | ||
49 | /* only realloc if there was a length */ | ||
50 | len = ntohl(len); | ||
51 | - buf->data = Curl_saferealloc(buf->data, len); | ||
52 | + if(len > CURL_MAX_INPUT_LENGTH) | ||
53 | + len = 0; | ||
54 | + else | ||
55 | + buf->data = Curl_saferealloc(buf->data, len); | ||
56 | } | ||
57 | if(!len || !buf->data) | ||
58 | return CURLE_OUT_OF_MEMORY; | ||
59 | @@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn, | ||
60 | result = socket_read(fd, buf->data, len); | ||
61 | if(result) | ||
62 | return result; | ||
63 | - buf->size = conn->mech->decode(conn->app_data, buf->data, len, | ||
64 | - conn->data_prot, conn); | ||
65 | + nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len, | ||
66 | + conn->data_prot, conn); | ||
67 | + if(nread < 0) | ||
68 | + return CURLE_RECV_ERROR; | ||
69 | + buf->size = (size_t)nread; | ||
70 | buf->index = 0; | ||
71 | return CURLE_OK; | ||
72 | } | ||