| From 894f6ec730597eb243618d33cc84d71add8d6a8a Mon Sep 17 00:00:00 2001 |
| From: Daniel Stenberg <daniel@haxx.se> |
| Date: Sat, 12 Jun 2021 18:25:15 +0200 |
| Subject: [PATCH] telnet: fix option parser to not send uninitialized contents |
| |
| CVE-2021-22925 |
| |
| Reported-by: Red Hat Product Security |
| Bug: https://curl.se/docs/CVE-2021-22925.html |
| |
| CVE: CVE-2021-22925 |
| |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/894f6ec730597eb243618d33cc84d71add8d6a8a] |
| |
| Signed-off-by: Mingli Yu <mingli.yu@windriver.com> |
| --- |
| lib/telnet.c | 17 +++++++++++------ |
| 1 file changed, 11 insertions(+), 6 deletions(-) |
| |
| diff --git a/lib/telnet.c b/lib/telnet.c |
| index 1d3024ec4..a81bb81c3 100644 |
| --- a/lib/telnet.c |
| +++ b/lib/telnet.c |
| @@ -920,12 +920,17 @@ static void suboption(struct Curl_easy *data) |
| size_t tmplen = (strlen(v->data) + 1); |
| /* Add the variable only if it fits */ |
| if(len + tmplen < (int)sizeof(temp)-6) { |
| - if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { |
| - msnprintf((char *)&temp[len], sizeof(temp) - len, |
| - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, |
| - CURL_NEW_ENV_VALUE, varval); |
| - len += tmplen; |
| - } |
| + int rv; |
| + char sep[2] = ""; |
| + varval[0] = 0; |
| + rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); |
| + if(rv == 1) |
| + len += msnprintf((char *)&temp[len], sizeof(temp) - len, |
| + "%c%s", CURL_NEW_ENV_VAR, varname); |
| + else if(rv >= 2) |
| + len += msnprintf((char *)&temp[len], sizeof(temp) - len, |
| + "%c%s%c%s", CURL_NEW_ENV_VAR, varname, |
| + CURL_NEW_ENV_VALUE, varval); |
| } |
| } |
| msnprintf((char *)&temp[len], sizeof(temp) - len, |
| -- |
| 2.17.1 |
| |