| From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Mon, 9 May 2022 23:13:53 +0200 |
| Subject: [PATCH] url: check SSH config match on connection reuse |
| |
| CVE-2022-27782 |
| |
| Reported-by: Harry Sintonen |
| Bug: https://curl.se/docs/CVE-2022-27782.html |
| Closes #8825 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/url.c | 11 +++++++++++ |
| lib/vssh/ssh.h | 6 +++--- |
| 2 files changed, 14 insertions(+), 3 deletions(-) |
| |
| diff --git a/lib/url.c b/lib/url.c |
| index 5ebf5e2..c713e54 100644 |
| --- a/lib/url.c |
| +++ b/lib/url.c |
| @@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) |
| } |
| } |
| |
| +static bool ssh_config_matches(struct connectdata *one, |
| + struct connectdata *two) |
| +{ |
| + return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && |
| + Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); |
| +} |
| /* |
| * Given one filled in connection struct (named needle), this function should |
| * detect if there already is one that has all the significant details |
| @@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, |
| (data->state.httpwant < CURL_HTTP_VERSION_2_0)) |
| continue; |
| |
| + if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { |
| + if(!ssh_config_matches(needle, check)) |
| + continue; |
| + } |
| + |
| if((needle->handler->flags&PROTOPT_SSL) |
| #ifndef CURL_DISABLE_PROXY |
| || !needle->bits.httpproxy || needle->bits.tunnel_proxy |
| diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h |
| index 7972081..30d82e5 100644 |
| --- a/lib/vssh/ssh.h |
| +++ b/lib/vssh/ssh.h |
| @@ -7,7 +7,7 @@ |
| * | (__| |_| | _ <| |___ |
| * \___|\___/|_| \_\_____| |
| * |
| - * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. |
| + * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al. |
| * |
| * This software is licensed as described in the file COPYING, which |
| * you should have received as part of this distribution. The terms |
| @@ -131,8 +131,8 @@ struct ssh_conn { |
| |
| /* common */ |
| const char *passphrase; /* pass-phrase to use */ |
| - char *rsa_pub; /* path name */ |
| - char *rsa; /* path name */ |
| + char *rsa_pub; /* strdup'ed public key file */ |
| + char *rsa; /* strdup'ed private key file */ |
| bool authed; /* the connection has been authenticated fine */ |
| bool acceptfail; /* used by the SFTP_QUOTE (continue if |
| quote command fails) */ |