xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-support/curl/curl/CVE-2022-32208.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
2From: Daniel Stenberg <daniel@haxx.se>
3Date: Thu, 9 Jun 2022 09:27:24 +0200
4Subject: [PATCH] krb5: return error properly on decode errors
5
6Bug: https://curl.se/docs/CVE-2022-32208.html
7CVE-2022-32208
8Reported-by: Harry Sintonen
9Closes #9051
10
11Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
12Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
13---
14 lib/krb5.c | 18 +++++++++++-------
15 1 file changed, 11 insertions(+), 7 deletions(-)
16
17diff --git a/lib/krb5.c b/lib/krb5.c
18index 787137c..6f9e1f7 100644
19--- a/lib/krb5.c
20+++ b/lib/krb5.c
21@@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
22   enc.value = buf;
23   enc.length = len;
24   maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
25-  if(maj != GSS_S_COMPLETE) {
26-    if(len >= 4)
27-      strcpy(buf, "599 ");
28+  if(maj != GSS_S_COMPLETE)
29     return -1;
30-  }
31
32   memcpy(buf, dec.value, dec.length);
33   len = curlx_uztosi(dec.length);
34@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
35 {
36   int len;
37   CURLcode result;
38+  int nread;
39
40   result = socket_read(fd, &len, sizeof(len));
41   if(result)
42@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
43   if(len) {
44     /* only realloc if there was a length */
45     len = ntohl(len);
46-    buf->data = Curl_saferealloc(buf->data, len);
47+    if(len > CURL_MAX_INPUT_LENGTH)
48+      len = 0;
49+    else
50+      buf->data = Curl_saferealloc(buf->data, len);
51   }
52   if(!len || !buf->data)
53     return CURLE_OUT_OF_MEMORY;
54@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
55   result = socket_read(fd, buf->data, len);
56   if(result)
57     return result;
58-  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
59-                                 conn->data_prot, conn);
60+  nread = conn->mech->decode(conn->app_data, buf->data, len,
61+                             conn->data_prot, conn);
62+  if(nread < 0)
63+    return CURLE_RECV_ERROR;
64+  buf->size = (size_t)nread;
65   buf->index = 0;
66   return CURLE_OK;
67 }
68