Fix URL globbing out of bounds read as per CVE-2017-1000101
Alessandro Ghedini
6 years ago
| 0 | From e2b917c17b508ad09f730f07ea75e85e5b0e06d2 Mon Sep 17 00:00:00 2001 | |
| 1 | From: Daniel Stenberg <daniel@haxx.se> | |
| 2 | Date: Tue, 1 Aug 2017 17:16:07 +0200 | |
| 3 | Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow | |
| 4 | range | |
| 5 | ||
| 6 | Added test 1289 to verify. | |
| 7 | ||
| 8 | CVE-2017-1000101 | |
| 9 | ||
| 10 | Bug: https://curl.haxx.se/docs/adv_20170809A.html | |
| 11 | Reported-by: Brian Carpenter | |
| 12 | --- | |
| 13 | src/tool_urlglob.c | 5 ++++- | |
| 14 | tests/data/Makefile.inc | 2 +- | |
| 15 | tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ | |
| 16 | 3 files changed, 40 insertions(+), 2 deletions(-) | |
| 17 | create mode 100644 tests/data/test1289 | |
| 18 | ||
| 19 | --- a/src/tool_urlglob.c | |
| 20 | +++ b/src/tool_urlglob.c | |
| 21 | @@ -271,7 +271,10 @@ | |
| 22 | } | |
| 23 | errno = 0; | |
| 24 | max_n = strtoul(pattern, &endp, 10); | |
| 25 | - if(errno || (*endp == ':')) { | |
| 26 | + if(errno) | |
| 27 | + /* overflow */ | |
| 28 | + endp = NULL; | |
| 29 | + else if(*endp == ':') { | |
| 30 | pattern = endp+1; | |
| 31 | errno = 0; | |
| 32 | step_n = strtoul(pattern, &endp, 10); | |
| 33 | --- /dev/null | |
| 34 | +++ b/tests/data/test1289 | |
| 35 | @@ -0,0 +1,35 @@ | |
| 36 | +<testcase> | |
| 37 | +<info> | |
| 38 | +<keywords> | |
| 39 | +HTTP | |
| 40 | +HTTP GET | |
| 41 | +globbing | |
| 42 | +</keywords> | |
| 43 | +</info> | |
| 44 | + | |
| 45 | +# | |
| 46 | +# Server-side | |
| 47 | +<reply> | |
| 48 | +</reply> | |
| 49 | + | |
| 50 | +# Client-side | |
| 51 | +<client> | |
| 52 | +<server> | |
| 53 | +http | |
| 54 | +</server> | |
| 55 | +<name> | |
| 56 | +globbing with overflow and bad syntxx | |
| 57 | +</name> | |
| 58 | +<command> | |
| 59 | +http://ur%20[0-60000000000000000000 | |
| 60 | +</command> | |
| 61 | +</client> | |
| 62 | + | |
| 63 | +# Verify data after the test has been "shot" | |
| 64 | +<verify> | |
| 65 | +# curl: (3) [globbing] bad range in column | |
| 66 | +<errorcode> | |
| 67 | +3 | |
| 68 | +</errorcode> | |
| 69 | +</verify> | |
| 70 | +</testcase> | |
| 71 | --- a/tests/data/Makefile.am | |
| 72 | +++ b/tests/data/Makefile.am | |
| 73 | @@ -105,6 +105,7 @@ | |
| 74 | test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \ | |
| 75 | test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \ | |
| 76 | test1236 test1237 test1238 test1239 test1240 \ | |
| 77 | +test1289 \ | |
| 78 | \ | |
| 79 | test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \ | |
| 80 | test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \ |