meta/recipes-support/curl/curl/CVE-2022-32208.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72

From 3b90f0b2a7a84645acce151c86b40d25b5de6615 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Jun 2022 09:27:24 +0200
Subject: [PATCH] krb5: return error properly on decode errors

Bug: https://curl.se/docs/CVE-2022-32208.html
CVE-2022-32208
Reported-by: Harry Sintonen
Closes #9051

Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
---
 lib/krb5.c     |  5 +----
 lib/security.c | 13 ++++++++++---
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/krb5.c b/lib/krb5.c
index f50287a..5b77e35 100644
--- a/lib/krb5.c
+++ b/lib/krb5.c
@@ -86,11 +86,8 @@ krb5_decode(void *app_data, void *buf, int len,
   enc.value = buf;
   enc.length = len;
   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
-  if(maj != GSS_S_COMPLETE) {
-    if(len >= 4)
-      strcpy(buf, "599 ");
+  if(maj != GSS_S_COMPLETE)
     return -1;
-  }
 
   memcpy(buf, dec.value, dec.length);
   len = curlx_uztosi(dec.length);
diff --git a/lib/security.c b/lib/security.c
index fbfa707..3542210 100644
--- a/lib/security.c
+++ b/lib/security.c
@@ -192,6 +192,7 @@ static CURLcode read_data(struct connectdata *conn,
 {
   int len;
   CURLcode result;
+  int nread;
 
   result = socket_read(fd, &len, sizeof(len));
   if(result)
@@ -200,7 +201,10 @@ static CURLcode read_data(struct connectdata *conn,
   if(len) {
     /* only realloc if there was a length */
     len = ntohl(len);
-    buf->data = Curl_saferealloc(buf->data, len);
+    if(len > CURL_MAX_INPUT_LENGTH)
+      len = 0;
+    else
+      buf->data = Curl_saferealloc(buf->data, len);
   }
   if(!len || !buf->data)
     return CURLE_OUT_OF_MEMORY;
@@ -208,8 +212,11 @@ static CURLcode read_data(struct connectdata *conn,
   result = socket_read(fd, buf->data, len);
   if(result)
     return result;
-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
-                                 conn->data_prot, conn);
+  nread = buf->size = conn->mech->decode(conn->app_data, buf->data, len,
+                                         conn->data_prot, conn);
+  if(nread < 0)
+    return CURLE_RECV_ERROR;
+  buf->size = (size_t)nread;
   buf->index = 0;
   return CURLE_OK;
 }