poky/meta/recipes-support/curl/curl/CVE-2022-32208.patch - openbmc/openbmc - Gitiles

 From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
 From: Daniel Stenberg <daniel@haxx.se>
 Date: Thu, 9 Jun 2022 09:27:24 +0200
 Subject: [PATCH] krb5: return error properly on decode errors

 Bug: https://curl.se/docs/CVE-2022-32208.html
 CVE-2022-32208
 Reported-by: Harry Sintonen
 Closes #9051

 Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
 Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
 ---
  lib/krb5.c | 18 +++++++++++-------
  1 file changed, 11 insertions(+), 7 deletions(-)

 diff --git a/lib/krb5.c b/lib/krb5.c
 index 787137c..6f9e1f7 100644
 --- a/lib/krb5.c
 +++ b/lib/krb5.c
 @@ -140,11 +140,8 @@ krb5_decode(void *app_data, void *buf, int len,
    enc.value = buf;
    enc.length = len;
    maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
 -  if(maj != GSS_S_COMPLETE) {
 -    if(len >= 4)
 -      strcpy(buf, "599 ");
 +  if(maj != GSS_S_COMPLETE)
      return -1;
 -  }

    memcpy(buf, dec.value, dec.length);
    len = curlx_uztosi(dec.length);
 @@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
  {
    int len;
    CURLcode result;
 +  int nread;

    result = socket_read(fd, &len, sizeof(len));
    if(result)
 @@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
    if(len) {
      /* only realloc if there was a length */
      len = ntohl(len);
 -    buf->data = Curl_saferealloc(buf->data, len);
 +    if(len > CURL_MAX_INPUT_LENGTH)
 +      len = 0;
 +    else
 +      buf->data = Curl_saferealloc(buf->data, len);
    }
    if(!len || !buf->data)
      return CURLE_OUT_OF_MEMORY;
 @@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
    result = socket_read(fd, buf->data, len);
    if(result)
      return result;
 -  buf->size = conn->mech->decode(conn->app_data, buf->data, len,
 -                                 conn->data_prot, conn);
 +  nread = conn->mech->decode(conn->app_data, buf->data, len,
 +                             conn->data_prot, conn);
 +  if(nread < 0)
 +    return CURLE_RECV_ERROR;
 +  buf->size = (size_t)nread;
    buf->index = 0;
    return CURLE_OK;
  }
	From fd2ffddec315c029e923e6e6f2c049809d01a5fc Mon Sep 17 00:00:00 2001
	From: Daniel Stenberg <daniel@haxx.se>
	Date: Thu, 9 Jun 2022 09:27:24 +0200
	Subject: [PATCH] krb5: return error properly on decode errors

	Bug: https://curl.se/docs/CVE-2022-32208.html
	CVE-2022-32208
	Reported-by: Harry Sintonen
	Closes #9051

	Upstream-Status: Backport [https://github.com/curl/curl/commit/6ecdf5136b52af7]
	Signed-off-by: Robert Joslyn <robert.joslyn@redrectangle.org>
	---
	lib/krb5.c \| 18 +++++++++++-------
	1 file changed, 11 insertions(+), 7 deletions(-)

	diff --git a/lib/krb5.c b/lib/krb5.c
	index 787137c..6f9e1f7 100644
	--- a/lib/krb5.c
	+++ b/lib/krb5.c
	@@ -140,11 +140,8 @@ krb5_decode(void app_data, void buf, int len,
	enc.value = buf;
	enc.length = len;
	maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
	- if(maj != GSS_S_COMPLETE) {
	- if(len >= 4)
	- strcpy(buf, "599 ");
	+ if(maj != GSS_S_COMPLETE)
	return -1;
	- }

	memcpy(buf, dec.value, dec.length);
	len = curlx_uztosi(dec.length);
	@@ -506,6 +503,7 @@ static CURLcode read_data(struct connectdata *conn,
	{
	int len;
	CURLcode result;
	+ int nread;

	result = socket_read(fd, &len, sizeof(len));
	if(result)
	@@ -514,7 +512,10 @@ static CURLcode read_data(struct connectdata *conn,
	if(len) {
	/* only realloc if there was a length */
	len = ntohl(len);
	- buf->data = Curl_saferealloc(buf->data, len);
	+ if(len > CURL_MAX_INPUT_LENGTH)
	+ len = 0;
	+ else
	+ buf->data = Curl_saferealloc(buf->data, len);
	}
	if(!len \|\| !buf->data)
	return CURLE_OUT_OF_MEMORY;
	@@ -522,8 +523,11 @@ static CURLcode read_data(struct connectdata *conn,
	result = socket_read(fd, buf->data, len);
	if(result)
	return result;
	- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
	- conn->data_prot, conn);
	+ nread = conn->mech->decode(conn->app_data, buf->data, len,
	+ conn->data_prot, conn);
	+ if(nread < 0)
	+ return CURLE_RECV_ERROR;
	+ buf->size = (size_t)nread;
	buf->index = 0;
	return CURLE_OK;
	}