openwrt/package/network/utils/curl/patches/105-CVE-2017-1000254.patch

From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Sep 2017 00:35:22 +0200
Subject: [PATCH] FTP: zero terminate the entry path even on bad input

... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254

Test 1152 added to verify.

Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
---
 lib/ftp.c               |  7 ++++--
 tests/data/Makefile.inc |  1 +
 tests/data/test1152     | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 67 insertions(+), 2 deletions(-)
 create mode 100644 tests/data/test1152

--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct
         char *ptr=&data->state.buffer[4];  /* start on the first letter */
         char *dir;
         char *store;
+        bool entry_extracted = FALSE;
 
         dir = malloc(nread + 1);
         if(!dir)
@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct
               }
               else {
                 /* end of path */
-                *store = '\0'; /* zero terminate */
+                entry_extracted = TRUE;
                 break; /* get out of this loop */
               }
             }
@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct
             store++;
             ptr++;
           }
-
+          *store = '\0'; /* zero terminate */
+        }
+        if(entry_extracted) {
           /* If the path name does not look like an absolute path (i.e.: it
              does not start with a '/'), we probably need some server-dependent
              adjustments. For example, this is the case when connecting to
curl: fix some security problems This fixes the following security problems: * CVE-2017-1000254: FTP PWD response parser out of bounds read * CVE-2017-1000257: IMAP FETCH response out of bounds read * CVE-2018-1000005: HTTP/2 trailer out-of-bounds read * CVE-2018-1000007: HTTP authentication leak in redirects * CVE-2018-1000120: FTP path trickery leads to NIL byte out of bounds write * CVE-2018-1000121: LDAP NULL pointer dereference * CVE-2018-1000122: RTSP RTP buffer over-read * CVE-2018-1000301: RTSP bad headers buffer over-read Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 2018-08-10 21:39:06 +02:00			`From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001`
			`From: Daniel Stenberg <daniel@haxx.se>`
			`Date: Mon, 25 Sep 2017 00:35:22 +0200`
			`Subject: [PATCH] FTP: zero terminate the entry path even on bad input`

			`... a single double quote could leave the entry path buffer without a zero`
			`terminating byte. CVE-2017-1000254`

			`Test 1152 added to verify.`

			`Reported-by: Max Dymond`
			`Bug: https://curl.haxx.se/docs/adv_20171004.html`
			`---`
			`lib/ftp.c \| 7 ++++--`
			`tests/data/Makefile.inc \| 1 +`
			`tests/data/test1152 \| 61 +++++++++++++++++++++++++++++++++++++++++++++++++`
			`3 files changed, 67 insertions(+), 2 deletions(-)`
			`create mode 100644 tests/data/test1152`

			`--- a/lib/ftp.c`
			`+++ b/lib/ftp.c`
			`@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct`
			`char ptr=&data->state.buffer[4]; / start on the first letter */`
			`char *dir;`
			`char *store;`
			`+ bool entry_extracted = FALSE;`

			`dir = malloc(nread + 1);`
			`if(!dir)`
			`@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct`
			`}`
			`else {`
			`/* end of path */`
			`- store = '\0'; / zero terminate */`
			`+ entry_extracted = TRUE;`
			`break; /* get out of this loop */`
			`}`
			`}`
			`@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct`
			`store++;`
			`ptr++;`
			`}`
			`-`
			`+ store = '\0'; / zero terminate */`
			`+ }`
			`+ if(entry_extracted) {`
			`/* If the path name does not look like an absolute path (i.e.: it`
			`does not start with a '/'), we probably need some server-dependent`
			`adjustments. For example, this is the case when connecting to`