| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
- From: Daniel Stenberg <daniel@haxx.se>
- Date: Mon, 25 Sep 2017 00:35:22 +0200
- Subject: [PATCH] FTP: zero terminate the entry path even on bad input
- ... a single double quote could leave the entry path buffer without a zero
- terminating byte. CVE-2017-1000254
- Test 1152 added to verify.
- Reported-by: Max Dymond
- Bug: https://curl.haxx.se/docs/adv_20171004.html
- ---
- lib/ftp.c | 7 ++++--
- tests/data/Makefile.inc | 1 +
- tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 67 insertions(+), 2 deletions(-)
- create mode 100644 tests/data/test1152
- --- a/lib/ftp.c
- +++ b/lib/ftp.c
- @@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct
- char *ptr=&data->state.buffer[4]; /* start on the first letter */
- char *dir;
- char *store;
- + bool entry_extracted = FALSE;
-
- dir = malloc(nread + 1);
- if(!dir)
- @@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct
- }
- else {
- /* end of path */
- - *store = '\0'; /* zero terminate */
- + entry_extracted = TRUE;
- break; /* get out of this loop */
- }
- }
- @@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct
- store++;
- ptr++;
- }
- -
- + *store = '\0'; /* zero terminate */
- + }
- + if(entry_extracted) {
- /* If the path name does not look like an absolute path (i.e.: it
- does not start with a '/'), we probably need some server-dependent
- adjustments. For example, this is the case when connecting to
|
