blob: 2f1a16fd1608326fe5f5a58bd676316325db0ac8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 25 Sep 2017 00:35:22 +0200
Subject: [PATCH] FTP: zero terminate the entry path even on bad input
... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254
Test 1152 added to verify.
Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
---
lib/ftp.c | 7 ++++--
3 files changed, 67 insertions(+), 2 deletions(-)
create mode 100644 tests/data/test1152
diff --git a/lib/ftp.c b/lib/ftp.c
index 4860509f3..54ba4057f 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2777,10 +2777,11 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
if(ftpcode == 257) {
char *ptr = &data->state.buffer[4]; /* start on the first letter */
const size_t buf_size = data->set.buffer_size;
char *dir;
char *store;
+ bool entry_extracted = FALSE;
dir = malloc(nread + 1);
if(!dir)
return CURLE_OUT_OF_MEMORY;
@@ -2808,20 +2809,22 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
*store = ptr[1];
ptr++;
}
else {
/* end of path */
- *store = '\0'; /* zero terminate */
+ entry_extracted = TRUE;
break; /* get out of this loop */
}
}
else
*store = *ptr;
store++;
ptr++;
}
-
+ *store = '\0'; /* zero terminate */
+ }
+ if(entry_extracted) {
/* If the path name does not look like an absolute path (i.e.: it
does not start with a '/'), we probably need some server-dependent
adjustments. For example, this is the case when connecting to
an OS400 FTP server: this server supports two name syntaxes,
the default one being incompatible with standard paths. In
|