forked from curl/curl-www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2017-8817.patch
146 lines (140 loc) · 3.65 KB
/
CVE-2017-8817.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
From 0acc0c7c120afa6d60bfc7932c04361720b6e74d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <[email protected]>
Date: Fri, 10 Nov 2017 08:52:45 +0100
Subject: [PATCH] wildcardmatch: fix heap buffer overflow in setcharset
The code would previous read beyond the end of the pattern string if the
match pattern ends with an open bracket when the default pattern
matching function is used.
Detected by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
CVE-2017-8817
Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
---
lib/curl_fnmatch.c | 9 +++------
tests/data/Makefile.inc | 2 +-
tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+), 7 deletions(-)
create mode 100644 tests/data/test1163
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index da83393b4..8a1e106c4 100644
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -131,10 +131,13 @@ static int setcharset(unsigned char **p, unsigned char *charset)
unsigned char lastchar = 0;
bool something_found = FALSE;
unsigned char c;
for(;;) {
c = **p;
+ if(!c)
+ return SETCHARSET_FAIL;
+
switch(state) {
case CURLFNM_SCHS_DEFAULT:
if(ISALNUM(c)) { /* ASCII value */
rangestart = c;
charset[c] = 1;
@@ -194,13 +197,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
(*p)++;
}
else
return SETCHARSET_FAIL;
}
- else if(c == '\0') {
- return SETCHARSET_FAIL;
- }
else {
charset[c] = 1;
(*p)++;
something_found = TRUE;
}
@@ -272,13 +272,10 @@ static int setcharset(unsigned char **p, unsigned char *charset)
(*p)++;
}
else if(c == ']') {
return SETCHARSET_OK;
}
- else if(c == '\0') {
- return SETCHARSET_FAIL;
- }
else if(ISPRINT(c)) {
charset[c] = 1;
(*p)++;
state = CURLFNM_SCHS_DEFAULT;
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index dc1cc03bc..6eb37d81d 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -123,11 +123,11 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
test1152 test1153 \
\
-test1160 test1161 test1162 \
+test1160 test1161 test1162 test1163 \
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
test1216 test1217 test1218 test1219 \
test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
diff --git a/tests/data/test1163 b/tests/data/test1163
new file mode 100644
index 000000000..a109b511b
--- /dev/null
+++ b/tests/data/test1163
@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+FTP
+RETR
+LIST
+wildcardmatch
+ftplistparser
+flaky
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<tool>
+lib576
+</tool>
+<name>
+FTP wildcard with pattern ending with an open-bracket
+</name>
+<command>
+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[]["
+</command>
+</client>
+<verify>
+<protocol>
+USER anonymous
+PASS [email protected]
+PWD
+CWD fully_simulated
+CWD DOS
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
+<errorcode>
+78
+</errorcode>
+</verify>
+</testcase>
--
2.15.0