1From 371264697a70e8ed3da678aefbe20940759485fa Mon Sep 17 00:00:00 2001 2From: Patrick Monnerat <patrick@monnerat.net> 3Date: Mon, 25 Apr 2022 11:44:05 +0200 4Subject: [PATCH] url: check sasl additional parameters for connection reuse. 5 6Also move static function safecmp() as non-static Curl_safecmp() since 7its purpose is needed at several places. 8 9Bug: https://curl.se/docs/CVE-2022-22576.html 10 11CVE-2022-22576 12 13Closes #8746 14 15Upstream-Status: Backport [https://github.com/curl/curl/commit/852aa5ad351ea53e5f01d2f44b5b4370c2bf5425] 16Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> 17--- 18 lib/strcase.c | 10 ++++++++++ 19 lib/strcase.h | 2 ++ 20 lib/url.c | 13 ++++++++++++- 21 lib/urldata.h | 1 + 22 lib/vtls/vtls.c | 21 ++++++--------------- 23 5 files changed, 31 insertions(+), 16 deletions(-) 24 25diff --git a/lib/strcase.c b/lib/strcase.c 26index dd46ca1..692a3f1 100644 27--- a/lib/strcase.c 28+++ b/lib/strcase.c 29@@ -131,6 +131,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) 30 } while(*src++ && --n); 31 } 32 33+/* Compare case-sensitive NUL-terminated strings, taking care of possible 34+ * null pointers. Return true if arguments match. 35+ */ 36+bool Curl_safecmp(char *a, char *b) 37+{ 38+ if(a && b) 39+ return !strcmp(a, b); 40+ return !a && !b; 41+} 42+ 43 /* --- public functions --- */ 44 45 int curl_strequal(const char *first, const char *second) 46diff --git a/lib/strcase.h b/lib/strcase.h 47index b628656..382b80a 100644 48--- a/lib/strcase.h 49+++ b/lib/strcase.h 50@@ -47,4 +47,6 @@ char Curl_raw_toupper(char in); 51 void Curl_strntoupper(char *dest, const char *src, size_t n); 52 void Curl_strntolower(char *dest, const char *src, size_t n); 53 54+bool Curl_safecmp(char *a, char *b); 55+ 56 #endif /* HEADER_CURL_STRCASE_H */ 57diff --git a/lib/url.c b/lib/url.c 58index adef2cd..94e3406 100644 59--- a/lib/url.c 60+++ b/lib/url.c 61@@ -779,6 +779,7 @@ static void conn_free(struct connectdata *conn) 62 Curl_safefree(conn->passwd); 63 Curl_safefree(conn->sasl_authzid); 64 Curl_safefree(conn->options); 65+ Curl_safefree(conn->oauth_bearer); 66 Curl_dyn_free(&conn->trailer); 67 Curl_safefree(conn->host.rawalloc); /* host name buffer */ 68 Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ 69@@ -1340,7 +1341,9 @@ ConnectionExists(struct Curl_easy *data, 70 /* This protocol requires credentials per connection, 71 so verify that we're using the same name and password as well */ 72 if(strcmp(needle->user, check->user) || 73- strcmp(needle->passwd, check->passwd)) { 74+ strcmp(needle->passwd, check->passwd) || 75+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || 76+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { 77 /* one of them was different */ 78 continue; 79 } 80@@ -3635,6 +3638,14 @@ static CURLcode create_conn(struct Curl_easy *data, 81 } 82 } 83 84+ if(data->set.str[STRING_BEARER]) { 85+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); 86+ if(!conn->oauth_bearer) { 87+ result = CURLE_OUT_OF_MEMORY; 88+ goto out; 89+ } 90+ } 91+ 92 #ifdef USE_UNIX_SOCKETS 93 if(data->set.str[STRING_UNIX_SOCKET_PATH]) { 94 conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); 95diff --git a/lib/urldata.h b/lib/urldata.h 96index cc8a600..03da59a 100644 97--- a/lib/urldata.h 98+++ b/lib/urldata.h 99@@ -984,6 +984,7 @@ struct connectdata { 100 char *passwd; /* password string, allocated */ 101 char *options; /* options string, allocated */ 102 char *sasl_authzid; /* authorisation identity string, allocated */ 103+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ 104 unsigned char httpversion; /* the HTTP version*10 reported by the server */ 105 struct curltime now; /* "current" time */ 106 struct curltime created; /* creation time */ 107diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c 108index 03b85ba..a40ac06 100644 109--- a/lib/vtls/vtls.c 110+++ b/lib/vtls/vtls.c 111@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) 112 return !memcmp(first->data, second->data, first->len); /* same data */ 113 } 114 115-static bool safecmp(char *a, char *b) 116-{ 117- if(a && b) 118- return !strcmp(a, b); 119- else if(!a && !b) 120- return TRUE; /* match */ 121- return FALSE; /* no match */ 122-} 123- 124 125 bool 126 Curl_ssl_config_matches(struct ssl_primary_config *data, 127@@ -147,12 +138,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, 128 blobcmp(data->cert_blob, needle->cert_blob) && 129 blobcmp(data->ca_info_blob, needle->ca_info_blob) && 130 blobcmp(data->issuercert_blob, needle->issuercert_blob) && 131- safecmp(data->CApath, needle->CApath) && 132- safecmp(data->CAfile, needle->CAfile) && 133- safecmp(data->issuercert, needle->issuercert) && 134- safecmp(data->clientcert, needle->clientcert) && 135- safecmp(data->random_file, needle->random_file) && 136- safecmp(data->egdsocket, needle->egdsocket) && 137+ Curl_safecmp(data->CApath, needle->CApath) && 138+ Curl_safecmp(data->CAfile, needle->CAfile) && 139+ Curl_safecmp(data->issuercert, needle->issuercert) && 140+ Curl_safecmp(data->clientcert, needle->clientcert) && 141+ Curl_safecmp(data->random_file, needle->random_file) && 142+ Curl_safecmp(data->egdsocket, needle->egdsocket) && 143 Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && 144 Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && 145 Curl_safe_strcasecompare(data->curves, needle->curves) && 146