This repository has been archived by the owner on Jan 15, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 87
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
(PA-5852) Apply CVE-2023-38545 patch for curl vulnerablity
- Loading branch information
1 parent
247061a
commit 43a75aa
Showing
3 changed files
with
227 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,110 @@ | ||
| diff --git a/lib/socks.c b/lib/socks.c | ||
| index 95c2b004c..8cf694d1d 100644 | ||
| --- a/lib/socks.c | ||
| +++ b/lib/socks.c | ||
| @@ -588,9 +588,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, | ||
|
|
||
| /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ | ||
| if(!socks5_resolve_local && hostname_len > 255) { | ||
| - infof(data, "SOCKS5: server resolving disabled for hostnames of " | ||
| - "length > 255 [actual len=%zu]", hostname_len); | ||
| - socks5_resolve_local = TRUE; | ||
| + failf(data, "SOCKS5: the destination hostname is too long to be " | ||
| + "resolved remotely by the proxy."); | ||
| + return CURLPX_LONG_HOSTNAME; | ||
| } | ||
|
|
||
| if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) | ||
| @@ -904,7 +904,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, | ||
| } | ||
| else { | ||
| socksreq[len++] = 3; | ||
| - socksreq[len++] = (char) hostname_len; /* one byte address length */ | ||
| + socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ | ||
| memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ | ||
| len += hostname_len; | ||
| } | ||
| diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
| index 97fdabcfa..f713c03b3 100644 | ||
| --- a/tests/data/Makefile.inc | ||
| +++ b/tests/data/Makefile.inc | ||
| @@ -100,7 +100,8 @@ test679 test680 test681 test682 test683 test684 test685 \ | ||
| \ | ||
| test700 test701 test702 test703 test704 test705 test706 test707 test708 \ | ||
| test709 test710 test711 test712 test713 test714 test715 test716 test717 \ | ||
| -test718 test719 test720 test721 \ | ||
| +test718 test719 test720 test721 test722 test723 test724 test725 test726 \ | ||
| +test727 test728 \ | ||
| \ | ||
| test800 test801 test802 test803 test804 test805 test806 test807 test808 \ | ||
| test809 test810 test811 test812 test813 test814 test815 test816 test817 \ | ||
| diff --git a/tests/data/test728 b/tests/data/test728 | ||
| new file mode 100644 | ||
| index 000000000..05bcf2883 | ||
| --- /dev/null | ||
| +++ b/tests/data/test728 | ||
| @@ -0,0 +1,64 @@ | ||
| +<testcase> | ||
| +<info> | ||
| +<keywords> | ||
| +HTTP | ||
| +HTTP GET | ||
| +SOCKS5 | ||
| +SOCKS5h | ||
| +followlocation | ||
| +</keywords> | ||
| +</info> | ||
| + | ||
| +# | ||
| +# Server-side | ||
| +<reply> | ||
| +# The hostname in this redirect is 256 characters and too long (> 255) for | ||
| +# SOCKS5 remote resolve. curl must return error CURLE_PROXY in this case. | ||
| +<data> | ||
| +HTTP/1.1 301 Moved Permanently | ||
| +Location: http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ | ||
| +Content-Length: 0 | ||
| +Connection: close | ||
| + | ||
| +</data> | ||
| +</reply> | ||
| + | ||
| +# | ||
| +# Client-side | ||
| +<client> | ||
| +<features> | ||
| +proxy | ||
| +</features> | ||
| +<server> | ||
| +http | ||
| +socks5 | ||
| +</server> | ||
| + <name> | ||
| +SOCKS5h with HTTP redirect to hostname too long | ||
| + </name> | ||
| + <command> | ||
| +--no-progress-meter --location --proxy socks5h://%HOSTIP:%SOCKSPORT http://%HOSTIP:%HTTPPORT/%TESTNUMBER | ||
| +</command> | ||
| +</client> | ||
| + | ||
| +# | ||
| +# Verify data after the test has been "shot" | ||
| +<verify> | ||
| +<protocol crlf="yes"> | ||
| +GET /%TESTNUMBER HTTP/1.1 | ||
| +Host: %HOSTIP:%HTTPPORT | ||
| +User-Agent: curl/%VERSION | ||
| +Accept: */* | ||
| + | ||
| +</protocol> | ||
| +<errorcode> | ||
| +97 | ||
| +</errorcode> | ||
| +# the error message is verified because error code CURLE_PROXY (97) may be | ||
| +# returned for any number of reasons and we need to make sure it is | ||
| +# specifically for the reason below so that we know the check is working. | ||
| +<stderr mode="text"> | ||
| +curl: (97) SOCKS5: the destination hostname is too long to be resolved remotely by the proxy. | ||
| +</stderr> | ||
| +</verify> | ||
| +</testcase> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| diff --git a/lib/cookie.c b/lib/cookie.c | ||
| index c457b2d95..7a9daf038 100644 | ||
| --- a/lib/cookie.c | ||
| +++ b/lib/cookie.c | ||
| @@ -118,7 +118,6 @@ static void freecookie(struct Cookie *co) | ||
| free(co->name); | ||
| free(co->value); | ||
| free(co->maxage); | ||
| - free(co->version); | ||
| free(co); | ||
| } | ||
|
|
||
| @@ -714,12 +713,8 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| whatptr); | ||
| } | ||
| } | ||
| - else if(strcasecompare("version", name)) { | ||
| - strstore(&co->version, whatptr); | ||
| - if(!co->version) { | ||
| - badcookie = TRUE; | ||
| - break; | ||
| - } | ||
| + else if((nlen == 7) && strncasecompare("version", namep, 7)) { | ||
| + /* just ignore */ | ||
| } | ||
| else if(strcasecompare("max-age", name)) { | ||
| /* | ||
| @@ -1174,7 +1169,6 @@ Curl_cookie_add(struct Curl_easy *data, | ||
| free(clist->path); | ||
| free(clist->spath); | ||
| free(clist->expirestr); | ||
| - free(clist->version); | ||
| free(clist->maxage); | ||
|
|
||
| *clist = *co; /* then store all the new data */ | ||
| @@ -1238,9 +1232,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data, | ||
| c = calloc(1, sizeof(struct CookieInfo)); | ||
| if(!c) | ||
| return NULL; /* failed to get memory */ | ||
| - c->filename = strdup(file?file:"none"); /* copy the name just in case */ | ||
| - if(!c->filename) | ||
| - goto fail; /* failed to get memory */ | ||
| /* | ||
| * Initialize the next_expiration time to signal that we don't have enough | ||
| * information yet. | ||
| @@ -1394,7 +1385,6 @@ static struct Cookie *dup_cookie(struct Cookie *src) | ||
| CLONE(name); | ||
| CLONE(value); | ||
| CLONE(maxage); | ||
| - CLONE(version); | ||
| d->expires = src->expires; | ||
| d->tailmatch = src->tailmatch; | ||
| d->secure = src->secure; | ||
| @@ -1610,7 +1600,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c) | ||
| { | ||
| if(c) { | ||
| unsigned int i; | ||
| - free(c->filename); | ||
| for(i = 0; i < COOKIE_HASH_SIZE; i++) | ||
| Curl_cookie_freelist(c->cookies[i]); | ||
| free(c); /* free the base struct as well */ | ||
| diff --git a/lib/cookie.h b/lib/cookie.h | ||
| index 39bb08bc4..3a43bbf33 100644 | ||
| --- a/lib/cookie.h | ||
| +++ b/lib/cookie.h | ||
| @@ -36,11 +36,7 @@ struct Cookie { | ||
| char *domain; /* domain = <this> */ | ||
| curl_off_t expires; /* expires = <this> */ | ||
| char *expirestr; /* the plain text version */ | ||
| - | ||
| - /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */ | ||
| - char *version; /* Version = <value> */ | ||
| char *maxage; /* Max-Age = <value> */ | ||
| - | ||
| bool tailmatch; /* whether we do tail-matching of the domain name */ | ||
| bool secure; /* whether the 'secure' keyword was used */ | ||
| bool livecookie; /* updated from a server, not a stored file */ | ||
| @@ -56,18 +52,16 @@ struct Cookie { | ||
| #define COOKIE_PREFIX__SECURE (1<<0) | ||
| #define COOKIE_PREFIX__HOST (1<<1) | ||
|
|
||
| -#define COOKIE_HASH_SIZE 256 | ||
| +#define COOKIE_HASH_SIZE 63 | ||
|
|
||
| struct CookieInfo { | ||
| /* linked list of cookies we know of */ | ||
| struct Cookie *cookies[COOKIE_HASH_SIZE]; | ||
| - | ||
| - char *filename; /* file we read from/write to */ | ||
| - long numcookies; /* number of cookies in the "jar" */ | ||
| + curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
| + int numcookies; /* number of cookies in the "jar" */ | ||
| + int lastct; /* last creation-time used in the jar */ | ||
| bool running; /* state info, for cookie adding information */ | ||
| bool newsession; /* new session, discard session cookies on load */ | ||
| - int lastct; /* last creation-time used in the jar */ | ||
| - curl_off_t next_expiration; /* the next time at which expiration happens */ | ||
| }; | ||
|
|
||
| /* This is the maximum line length we accept for a cookie line. RFC 2109 | ||
| diff --git a/lib/easy.c b/lib/easy.c | ||
| index db03026c9..842d2a99a 100644 | ||
| --- a/lib/easy.c | ||
| +++ b/lib/easy.c | ||
| @@ -911,9 +911,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) | ||
| if(data->cookies) { | ||
| /* If cookies are enabled in the parent handle, we enable them | ||
| in the clone as well! */ | ||
| - outcurl->cookies = Curl_cookie_init(data, | ||
| - data->cookies->filename, | ||
| - outcurl->cookies, | ||
| + outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies, | ||
| data->set.cookiesession); | ||
| if(!outcurl->cookies) | ||
| goto fail; |