106-CVE-2017-8817.patch 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141
  1. From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
  2. From: Daniel Stenberg <daniel@haxx.se>
  3. Date: Fri, 10 Nov 2017 08:52:45 +0100
  4. Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
  5. The code would previous read beyond the end of the pattern string if the
  6. match pattern ends with an open bracket when the default pattern
  7. matching function is used.
  8. Detected by OSS-Fuzz:
  9. https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
  10. CVE-2017-8817
  11. Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
  12. ---
  13. lib/curl_fnmatch.c | 9 +++------
  14. tests/data/Makefile.inc | 2 +-
  15. tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
  16. 3 files changed, 56 insertions(+), 7 deletions(-)
  17. create mode 100644 tests/data/test1163
  18. diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
  19. index da83393b4..8a1e106c4 100644
  20. --- a/lib/curl_fnmatch.c
  21. +++ b/lib/curl_fnmatch.c
  22. @@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
  23. unsigned char lastchar = 0;
  24. bool something_found = FALSE;
  25. unsigned char c;
  26. for(;;) {
  27. c = **p;
  28. + if(!c)
  29. + return SETCHARSET_FAIL;
  30. +
  31. switch(state) {
  32. case CURLFNM_SCHS_DEFAULT:
  33. if(ISALNUM(c)) { /* ASCII value */
  34. rangestart = c;
  35. charset[c] = 1;
  36. @@ -195,13 +198,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
  37. (*p)++;
  38. }
  39. else
  40. return SETCHARSET_FAIL;
  41. }
  42. - else if(c == '\0') {
  43. - return SETCHARSET_FAIL;
  44. - }
  45. else {
  46. charset[c] = 1;
  47. (*p)++;
  48. something_found = TRUE;
  49. }
  50. @@ -276,13 +276,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
  51. (*p)++;
  52. }
  53. else if(c == ']') {
  54. return SETCHARSET_OK;
  55. }
  56. - else if(c == '\0') {
  57. - return SETCHARSET_FAIL;
  58. - }
  59. else if(ISPRINT(c)) {
  60. charset[c] = 1;
  61. (*p)++;
  62. state = CURLFNM_SCHS_DEFAULT;
  63. }
  64. diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
  65. index dc1cc03bc..6eb37d81d 100644
  66. --- a/tests/data/Makefile.inc.1 2017-11-29 20:00:26.126452486 +0000
  67. +++ b/tests/data/Makefile.inc 2017-11-29 20:01:13.057783732 +0000
  68. @@ -121,6 +121,7 @@
  69. test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
  70. test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
  71. test1144 \
  72. +test1163 \
  73. test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
  74. test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
  75. test1216 test1217 test1218 test1219 \
  76. diff --git a/tests/data/test1163 b/tests/data/test1163
  77. new file mode 100644
  78. index 000000000..a109b511b
  79. --- /dev/null
  80. +++ b/tests/data/test1163
  81. @@ -0,0 +1,52 @@
  82. +<testcase>
  83. +<info>
  84. +<keywords>
  85. +FTP
  86. +RETR
  87. +LIST
  88. +wildcardmatch
  89. +ftplistparser
  90. +flaky
  91. +</keywords>
  92. +</info>
  93. +
  94. +#
  95. +# Server-side
  96. +<reply>
  97. +<data>
  98. +</data>
  99. +</reply>
  100. +
  101. +# Client-side
  102. +<client>
  103. +<server>
  104. +ftp
  105. +</server>
  106. +<tool>
  107. +lib576
  108. +</tool>
  109. +<name>
  110. +FTP wildcard with pattern ending with an open-bracket
  111. +</name>
  112. +<command>
  113. +"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
  114. +</command>
  115. +</client>
  116. +<verify>
  117. +<protocol>
  118. +USER anonymous
  119. +PASS ftp@example.com
  120. +PWD
  121. +CWD fully_simulated
  122. +CWD DOS
  123. +EPSV
  124. +TYPE A
  125. +LIST
  126. +QUIT
  127. +</protocol>
  128. +# 78 == CURLE_REMOTE_FILE_NOT_FOUND
  129. +<errorcode>
  130. +78
  131. +</errorcode>
  132. +</verify>
  133. +</testcase>
  134. --
  135. 2.15.0