| From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Thu, 9 Jun 2022 09:27:24 +0200 |
| Subject: [PATCH] krb5: return error properly on decode errors |
| |
| Bug: https://curl.se/docs/CVE-2022-32208.html |
| CVE-2022-32208 |
| Reported-by: Harry Sintonen |
| Closes #9051 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7] |
| Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org> |
| --- |
| lib/krb5.c | 18 +++++++++++------- |
| 1 file changed, 11 insertions(+), 7 deletions(-) |
| |
| diff --git a/lib/krb5.c b/lib/krb5.c |
| index 787137c..6f9e1f7 100644 |
| --- a/lib/krb5.c |
| +++ b/lib/krb5.c |
| @@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len, |
| enc.value = buf; |
| enc.length = len; |
| maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); |
| - if(maj != GSS_S_COMPLETE) { |
| - if(len >= 4) |
| - strcpy(buf, "599 "); |
| + if(maj != GSS_S_COMPLETE) |
| return -1; |
| - } |
| |
| memcpy(buf, dec.value, dec.length); |
| len = curlx_uztosi(dec.length); |
| @@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn, |
| { |
| int len; |
| CURLcode result; |
| + int nread; |
| |
| result = socket_read(fd, &len, sizeof(len)); |
| if(result) |
| @@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn, |
| if(len) { |
| /* only realloc if there was a length */ |
| len = ntohl(len); |
| - buf->data = Curl_saferealloc(buf->data, len); |
| + if(len > CURL_MAX_INPUT_LENGTH) |
| + len = 0; |
| + else |
| + buf->data = Curl_saferealloc(buf->data, len); |
| } |
| if(!len || !buf->data) |
| return CURLE_OUT_OF_MEMORY; |
| @@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn, |
| result = socket_read(fd, buf->data, len); |
| if(result) |
| return result; |
| - buf->size = conn->mech->decode(conn->app_data, buf->data, len, |
| - conn->data_prot, conn); |
| + nread = conn->mech->decode(conn->app_data, buf->data, len, |
| + conn->data_prot, conn); |
| + if(nread < 0) |
| + return CURLE_RECV_ERROR; |
| + buf->size = (size_t)nread; |
| buf->index = 0; |
| return CURLE_OK; |
| } |