mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-25 00:11:13 +00:00
060b7f1fbb
This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01 Curl package. Compile-tested on ar71xx, ramips and x86. Signed-off-by: Stijn Segers <foss@volatilesystems.org>
142 lines
3.4 KiB
Diff
142 lines
3.4 KiB
Diff
From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Fri, 10 Nov 2017 08:52:45 +0100
|
|
Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
|
|
|
|
The code would previous read beyond the end of the pattern string if the
|
|
match pattern ends with an open bracket when the default pattern
|
|
matching function is used.
|
|
|
|
Detected by OSS-Fuzz:
|
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
|
|
|
|
CVE-2017-8817
|
|
|
|
Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
|
|
---
|
|
lib/curl_fnmatch.c | 9 +++------
|
|
tests/data/Makefile.inc | 2 +-
|
|
tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 56 insertions(+), 7 deletions(-)
|
|
create mode 100644 tests/data/test1163
|
|
|
|
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
|
|
index da83393b4..8a1e106c4 100644
|
|
--- a/lib/curl_fnmatch.c
|
|
+++ b/lib/curl_fnmatch.c
|
|
@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
|
|
unsigned char lastchar = 0;
|
|
bool something_found = FALSE;
|
|
unsigned char c;
|
|
for(;;) {
|
|
c = **p;
|
|
+ if(!c)
|
|
+ return SETCHARSET_FAIL;
|
|
+
|
|
switch(state) {
|
|
case CURLFNM_SCHS_DEFAULT:
|
|
if(ISALNUM(c)) { /* ASCII value */
|
|
rangestart = c;
|
|
charset[c] = 1;
|
|
@@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
|
|
(*p)++;
|
|
}
|
|
else
|
|
return SETCHARSET_FAIL;
|
|
}
|
|
- else if(c == '\0') {
|
|
- return SETCHARSET_FAIL;
|
|
- }
|
|
else {
|
|
charset[c] = 1;
|
|
(*p)++;
|
|
something_found = TRUE;
|
|
}
|
|
@@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
|
|
(*p)++;
|
|
}
|
|
else if(c == ']') {
|
|
return SETCHARSET_OK;
|
|
}
|
|
- else if(c == '\0') {
|
|
- return SETCHARSET_FAIL;
|
|
- }
|
|
else if(ISPRINT(c)) {
|
|
charset[c] = 1;
|
|
(*p)++;
|
|
state = CURLFNM_SCHS_DEFAULT;
|
|
}
|
|
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
|
index dc1cc03bc..6eb37d81d 100644
|
|
--- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000
|
|
+++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000
|
|
@@ -121,6 +121,7 @@
|
|
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
|
|
test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
|
|
test1144 \
|
|
+test1163 \
|
|
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
|
|
test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
|
|
test1216 test1217 test1218 test1219 \
|
|
diff --git a/tests/data/test1163 b/tests/data/test1163
|
|
new file mode 100644
|
|
index 000000000..a109b511b
|
|
--- /dev/null
|
|
+++ b/tests/data/test1163
|
|
@@ -0,0 +1,52 @@
|
|
+<testcase>
|
|
+<info>
|
|
+<keywords>
|
|
+FTP
|
|
+RETR
|
|
+LIST
|
|
+wildcardmatch
|
|
+ftplistparser
|
|
+flaky
|
|
+</keywords>
|
|
+</info>
|
|
+
|
|
+#
|
|
+# Server-side
|
|
+<reply>
|
|
+<data>
|
|
+</data>
|
|
+</reply>
|
|
+
|
|
+# Client-side
|
|
+<client>
|
|
+<server>
|
|
+ftp
|
|
+</server>
|
|
+<tool>
|
|
+lib576
|
|
+</tool>
|
|
+<name>
|
|
+FTP wildcard with pattern ending with an open-bracket
|
|
+</name>
|
|
+<command>
|
|
+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
|
|
+</command>
|
|
+</client>
|
|
+<verify>
|
|
+<protocol>
|
|
+USER anonymous
|
|
+PASS ftp@example.com
|
|
+PWD
|
|
+CWD fully_simulated
|
|
+CWD DOS
|
|
+EPSV
|
|
+TYPE A
|
|
+LIST
|
|
+QUIT
|
|
+</protocol>
|
|
+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
|
|
+<errorcode>
|
|
+78
|
|
+</errorcode>
|
|
+</verify>
|
|
+</testcase>
|
|
--
|
|
2.15.0
|
|
|