Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 488fc98adf
Branches Tags
openwrt_lede
/
package
/
network
/
utils
/
curl
/
patches
/
108-CVE-2017-8817.patch

108-CVE-2017-8817.patch 2.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 
  1. From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
    2. 

  2. From: Daniel Stenberg <daniel@haxx.se>
    3. 

  3. Date: Fri, 10 Nov 2017 08:52:45 +0100
    4. 

  4. Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
    5. 

  5. 

  6. The code would previous read beyond the end of the pattern string if the
    7. 

  7. match pattern ends with an open bracket when the default pattern
    8. 

  8. matching function is used.
    9. 

  9. 

  10. Detected by OSS-Fuzz:
    11. 

  11. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
    12. 

  12. 

  13. CVE-2017-8817
    14. 

  14. 

  15. Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
    16. 

  16. ---
    17. 

  17.  lib/curl_fnmatch.c      |  9 +++------
    18. 

  18.  tests/data/Makefile.inc |  2 +-
    19. 

  19.  tests/data/test1163     | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
    20. 

  20.  3 files changed, 56 insertions(+), 7 deletions(-)
    21. 

  21.  create mode 100644 tests/data/test1163
    22. 

  22. 

  23. --- a/lib/curl_fnmatch.c
    24. 

  24. +++ b/lib/curl_fnmatch.c
    25. 

  25. @@ -133,6 +133,9 @@ static int setcharset(unsigned char **p,
    26. 

  26.    unsigned char c;
    27. 

  27.    for(;;) {
    28. 

  28.      c = **p;
    29. 

  29. +    if(!c)
    30. 

  30. +      return SETCHARSET_FAIL;
    31. 

  31. +
    32. 

  32.      switch(state) {
    33. 

  33.      case CURLFNM_SCHS_DEFAULT:
    34. 

  34.        if(ISALNUM(c)) { /* ASCII value */
    35. 

  35. @@ -197,9 +200,6 @@ static int setcharset(unsigned char **p,
    36. 

  36.          else
    37. 

  37.            return SETCHARSET_FAIL;
    38. 

  38.        }
    39. 

  39. -      else if(c == '\0') {
    40. 

  40. -        return SETCHARSET_FAIL;
    41. 

  41. -      }
    42. 

  42.        else {
    43. 

  43.          charset[c] = 1;
    44. 

  44.          (*p)++;
    45. 

  45. @@ -278,9 +278,6 @@ static int setcharset(unsigned char **p,
    46. 

  46.        else if(c == ']') {
    47. 

  47.          return SETCHARSET_OK;
    48. 

  48.        }
    49. 

  49. -      else if(c == '\0') {
    50. 

  50. -        return SETCHARSET_FAIL;
    51. 

  51. -      }
    52. 

  52.        else if(ISPRINT(c)) {
    53. 

  53.          charset[c] = 1;
    54. 

  54.          (*p)++;
    55. 

  55. --- a/tests/data/Makefile.inc
    56. 

  56. +++ b/tests/data/Makefile.inc
    57. 

  57. @@ -121,6 +121,7 @@ test1120 test1121 test1122 test1123 test
    58. 

  58.  test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
    59. 

  59.  test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
    60. 

  60.  test1144 \
    61. 

  61. +test1163 \
    62. 

  62.  test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
    63. 

  63.  test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
    64. 

  64.  test1216 test1217 test1218 test1219 \
    65. 

  65. --- /dev/null
    66. 

  66. +++ b/tests/data/test1163
    67. 

  67. @@ -0,0 +1,52 @@
    68. 

  68. +<testcase>
    69. 

  69. +<info>
    70. 

  70. +<keywords>
    71. 

  71. +FTP
    72. 

  72. +RETR
    73. 

  73. +LIST
    74. 

  74. +wildcardmatch
    75. 

  75. +ftplistparser
    76. 

  76. +flaky
    77. 

  77. +</keywords>
    78. 

  78. +</info>
    79. 

  79. +
    80. 

  80. +#
    81. 

  81. +# Server-side
    82. 

  82. +<reply>
    83. 

  83. +<data>
    84. 

  84. +</data>
    85. 

  85. +</reply>
    86. 

  86. +
    87. 

  87. +# Client-side
    88. 

  88. +<client>
    89. 

  89. +<server>
    90. 

  90. +ftp
    91. 

  91. +</server>
    92. 

  92. +<tool>
    93. 

  93. +lib576
    94. 

  94. +</tool>
    95. 

  95. +<name>
    96. 

  96. +FTP wildcard with pattern ending with an open-bracket
    97. 

  97. +</name>
    98. 

  98. +<command>
    99. 

  99. +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
    100. 

  100. +</command>
    101. 

  101. +</client>
    102. 

  102. +<verify>
    103. 

  103. +<protocol>
    104. 

  104. +USER anonymous
    105. 

  105. +PASS ftp@example.com
    106. 

  106. +PWD
    107. 

  107. +CWD fully_simulated
    108. 

  108. +CWD DOS
    109. 

  109. +EPSV
    110. 

  110. +TYPE A
    111. 

  111. +LIST
    112. 

  112. +QUIT
    113. 

  113. +</protocol>
    114. 

  114. +# 78 == CURLE_REMOTE_FILE_NOT_FOUND
    115. 

  115. +<errorcode>
    116. 

  116. +78
    117. 

  117. +</errorcode>
    118. 

  118. +</verify>
    119. 

  119. +</testcase>
    120.