From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Sep 2017 00:35:22 +0200 Subject: [PATCH] FTP: zero terminate the entry path even on bad input ... a single double quote could leave the entry path buffer without a zero terminating byte. CVE-2017-1000254 Test 1152 added to verify. Reported-by: Max Dymond Bug: https://curl.haxx.se/docs/adv_20171004.html --- lib/ftp.c | 7 ++++-- tests/data/Makefile.inc | 1 + tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1152 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct char *ptr=&data->state.buffer[4]; /* start on the first letter */ char *dir; char *store; + bool entry_extracted = FALSE; dir = malloc(nread + 1); if(!dir) @@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct } else { /* end of path */ - *store = '\0'; /* zero terminate */ + entry_extracted = TRUE; break; /* get out of this loop */ } } @@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct store++; ptr++; } - + *store = '\0'; /* zero terminate */ + } + if(entry_extracted) { /* If the path name does not look like an absolute path (i.e.: it does not start with a '/'), we probably need some server-dependent adjustments. For example, this is the case when connecting to