1From e12531340b03d242d3f892aa8797faf12b56dddf Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 16 May 2022 16:28:13 +0200 4Subject: [PATCH] content_encoding: return error on too many compression steps 5 6The max allowed steps is arbitrarily set to 5. 7 8Bug: https://curl.se/docs/CVE-2022-32206.html 9CVE-2022-32206 10Reported-by: Harry Sintonen 11Closes #9049 12 13Upstream-Status: Backport [https://github.com/curl/curl/commit/3a09fbb7f264c67c43] 14Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> 15--- 16 lib/content_encoding.c | 9 +++++++++ 17 1 file changed, 9 insertions(+) 18 19diff --git a/lib/content_encoding.c b/lib/content_encoding.c 20index c03637a..6f994b3 100644 21--- a/lib/content_encoding.c 22+++ b/lib/content_encoding.c 23@@ -1026,12 +1026,16 @@ static const struct content_encoding *find_encoding(const char *name, 24 return NULL; 25 } 26 27+/* allow no more than 5 "chained" compression steps */ 28+#define MAX_ENCODE_STACK 5 29+ 30 /* Set-up the unencoding stack from the Content-Encoding header value. 31 * See RFC 7231 section 3.1.2.2. */ 32 CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, 33 const char *enclist, int maybechunked) 34 { 35 struct SingleRequest *k = &data->req; 36+ int counter = 0; 37 38 do { 39 const char *name; 40@@ -1066,6 +1070,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, 41 if(!encoding) 42 encoding = &error_encoding; /* Defer error at stack use. */ 43 44+ if(++counter >= MAX_ENCODE_STACK) { 45+ failf(data, "Reject response due to %u content encodings", 46+ counter); 47+ return CURLE_BAD_CONTENT_ENCODING; 48+ } 49 /* Stack the unencoding stage. */ 50 writer = new_unencoding_writer(data, encoding, k->writer_stack); 51 if(!writer) 52