aboutsummaryrefslogtreecommitdiffstats
path: root/main/curl/CVE-2017-1000254.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/curl/CVE-2017-1000254.patch')
-rw-r--r--main/curl/CVE-2017-1000254.patch58
1 files changed, 58 insertions, 0 deletions
diff --git a/main/curl/CVE-2017-1000254.patch b/main/curl/CVE-2017-1000254.patch
new file mode 100644
index 0000000000..2f1a16fd16
--- /dev/null
+++ b/main/curl/CVE-2017-1000254.patch
@@ -0,0 +1,58 @@
+From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Mon, 25 Sep 2017 00:35:22 +0200
+Subject: [PATCH] FTP: zero terminate the entry path even on bad input
+
+... a single double quote could leave the entry path buffer without a zero
+terminating byte. CVE-2017-1000254
+
+Test 1152 added to verify.
+
+Reported-by: Max Dymond
+Bug: https://curl.haxx.se/docs/adv_20171004.html
+---
+ lib/ftp.c | 7 ++++--
+ 3 files changed, 67 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1152
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index 4860509f3..54ba4057f 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -2777,10 +2777,11 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ if(ftpcode == 257) {
+ char *ptr = &data->state.buffer[4]; /* start on the first letter */
+ const size_t buf_size = data->set.buffer_size;
+ char *dir;
+ char *store;
++ bool entry_extracted = FALSE;
+
+ dir = malloc(nread + 1);
+ if(!dir)
+ return CURLE_OUT_OF_MEMORY;
+
+@@ -2808,20 +2809,22 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
+ *store = ptr[1];
+ ptr++;
+ }
+ else {
+ /* end of path */
+- *store = '\0'; /* zero terminate */
++ entry_extracted = TRUE;
+ break; /* get out of this loop */
+ }
+ }
+ else
+ *store = *ptr;
+ store++;
+ ptr++;
+ }
+-
++ *store = '\0'; /* zero terminate */
++ }
++ if(entry_extracted) {
+ /* If the path name does not look like an absolute path (i.e.: it
+ does not start with a '/'), we probably need some server-dependent
+ adjustments. For example, this is the case when connecting to
+ an OS400 FTP server: this server supports two name syntaxes,
+ the default one being incompatible with standard paths. In