Fix URL globbing out of bounds read as per CVE-2017-1000101
Alessandro Ghedini
6 years ago
0 | From e2b917c17b508ad09f730f07ea75e85e5b0e06d2 Mon Sep 17 00:00:00 2001 | |
1 | From: Daniel Stenberg <daniel@haxx.se> | |
2 | Date: Tue, 1 Aug 2017 17:16:07 +0200 | |
3 | Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow | |
4 | range | |
5 | ||
6 | Added test 1289 to verify. | |
7 | ||
8 | CVE-2017-1000101 | |
9 | ||
10 | Bug: https://curl.haxx.se/docs/adv_20170809A.html | |
11 | Reported-by: Brian Carpenter | |
12 | --- | |
13 | src/tool_urlglob.c | 5 ++++- | |
14 | tests/data/Makefile.inc | 2 +- | |
15 | tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ | |
16 | 3 files changed, 40 insertions(+), 2 deletions(-) | |
17 | create mode 100644 tests/data/test1289 | |
18 | ||
19 | --- a/src/tool_urlglob.c | |
20 | +++ b/src/tool_urlglob.c | |
21 | @@ -271,7 +271,10 @@ | |
22 | } | |
23 | errno = 0; | |
24 | max_n = strtoul(pattern, &endp, 10); | |
25 | - if(errno || (*endp == ':')) { | |
26 | + if(errno) | |
27 | + /* overflow */ | |
28 | + endp = NULL; | |
29 | + else if(*endp == ':') { | |
30 | pattern = endp+1; | |
31 | errno = 0; | |
32 | step_n = strtoul(pattern, &endp, 10); | |
33 | --- /dev/null | |
34 | +++ b/tests/data/test1289 | |
35 | @@ -0,0 +1,35 @@ | |
36 | +<testcase> | |
37 | +<info> | |
38 | +<keywords> | |
39 | +HTTP | |
40 | +HTTP GET | |
41 | +globbing | |
42 | +</keywords> | |
43 | +</info> | |
44 | + | |
45 | +# | |
46 | +# Server-side | |
47 | +<reply> | |
48 | +</reply> | |
49 | + | |
50 | +# Client-side | |
51 | +<client> | |
52 | +<server> | |
53 | +http | |
54 | +</server> | |
55 | +<name> | |
56 | +globbing with overflow and bad syntxx | |
57 | +</name> | |
58 | +<command> | |
59 | +http://ur%20[0-60000000000000000000 | |
60 | +</command> | |
61 | +</client> | |
62 | + | |
63 | +# Verify data after the test has been "shot" | |
64 | +<verify> | |
65 | +# curl: (3) [globbing] bad range in column | |
66 | +<errorcode> | |
67 | +3 | |
68 | +</errorcode> | |
69 | +</verify> | |
70 | +</testcase> | |
71 | --- a/tests/data/Makefile.am | |
72 | +++ b/tests/data/Makefile.am | |
73 | @@ -105,6 +105,7 @@ | |
74 | test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ | |
75 | test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ | |
76 | test1236 test1237 test1238 test1239 test1240 \ | |
77 | +test1289 \ | |
78 | \ | |
79 | test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ | |
80 | test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ |