50 lines
1.7 KiB
Diff
50 lines
1.7 KiB
Diff
From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001
|
|
From: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon, 25 Sep 2017 00:35:22 +0200
|
|
Subject: [PATCH] FTP: zero terminate the entry path even on bad input
|
|
|
|
... a single double quote could leave the entry path buffer without a zero
|
|
terminating byte. CVE-2017-1000254
|
|
|
|
Test 1152 added to verify.
|
|
|
|
Reported-by: Max Dymond
|
|
Bug: https://curl.haxx.se/docs/adv_20171004.html
|
|
---
|
|
lib/ftp.c | 7 ++++--
|
|
tests/data/Makefile.inc | 1 +
|
|
tests/data/test1152 | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
|
|
3 files changed, 67 insertions(+), 2 deletions(-)
|
|
create mode 100644 tests/data/test1152
|
|
|
|
--- a/lib/ftp.c
|
|
+++ b/lib/ftp.c
|
|
@@ -2825,6 +2825,7 @@ static CURLcode ftp_statemach_act(struct
|
|
char *ptr=&data->state.buffer[4]; /* start on the first letter */
|
|
char *dir;
|
|
char *store;
|
|
+ bool entry_extracted = FALSE;
|
|
|
|
dir = malloc(nread + 1);
|
|
if(!dir)
|
|
@@ -2856,7 +2857,7 @@ static CURLcode ftp_statemach_act(struct
|
|
}
|
|
else {
|
|
/* end of path */
|
|
- *store = '\0'; /* zero terminate */
|
|
+ entry_extracted = TRUE;
|
|
break; /* get out of this loop */
|
|
}
|
|
}
|
|
@@ -2865,7 +2866,9 @@ static CURLcode ftp_statemach_act(struct
|
|
store++;
|
|
ptr++;
|
|
}
|
|
-
|
|
+ *store = '\0'; /* zero terminate */
|
|
+ }
|
|
+ if(entry_extracted) {
|
|
/* If the path name does not look like an absolute path (i.e.: it
|
|
does not start with a '/'), we probably need some server-dependent
|
|
adjustments. For example, this is the case when connecting to
|