| From 13718030ad4b3209a7583b4f27f683cd3a6fa5f2 Mon Sep 17 00:00:00 2001 |
| From: Harry Sintonen <sintonen@iki.fi> |
| Date: Tue, 25 Apr 2023 09:22:26 +0200 |
| Subject: [PATCH] hostip: add locks around use of global buffer for alarm() |
| |
| When building with the sync name resolver and timeout ability we now |
| require thread-safety to be present to enable it. |
| |
| Closes #11030 |
| |
| CVE: CVE-2023-28320 |
| Upstream-Status: Backport [https://github.com/curl/curl/commit/13718030ad4b3209a7583b] |
| Signed-off-by: Bhabu Bindu <bhabu.bindu@kpit.com> |
| --- |
| lib/hostip.c | 19 +++++++++++++++---- |
| 1 file changed, 15 insertions(+), 4 deletions(-) |
| |
| diff --git a/lib/hostip.c b/lib/hostip.c |
| index 2381290fdd43e..e410cda69ae6e 100644 |
| --- a/lib/hostip.c |
| +++ b/lib/hostip.c |
| @@ -70,12 +70,19 @@ |
| #include <SystemConfiguration/SCDynamicStoreCopySpecific.h> |
| #endif |
| |
| -#if defined(CURLRES_SYNCH) && \ |
| - defined(HAVE_ALARM) && defined(SIGALRM) && defined(HAVE_SIGSETJMP) |
| +#if defined(CURLRES_SYNCH) && \ |
| + defined(HAVE_ALARM) && \ |
| + defined(SIGALRM) && \ |
| + defined(HAVE_SIGSETJMP) && \ |
| + defined(GLOBAL_INIT_IS_THREADSAFE) |
| /* alarm-based timeouts can only be used with all the dependencies satisfied */ |
| #define USE_ALARM_TIMEOUT |
| #endif |
| |
| +#ifdef USE_ALARM_TIMEOUT |
| +#include "easy_lock.h" |
| +#endif |
| + |
| #define MAX_HOSTCACHE_LEN (255 + 7) /* max FQDN + colon + port number + zero */ |
| |
| /* |
| @@ -254,11 +261,12 @@ void Curl_hostcache_prune(struct Curl_easy *data) |
| Curl_share_unlock(data, CURL_LOCK_DATA_DNS); |
| } |
| |
| -#ifdef HAVE_SIGSETJMP |
| +#ifdef USE_ALARM_TIMEOUT |
| /* Beware this is a global and unique instance. This is used to store the |
| return address that we can jump back to from inside a signal handler. This |
| is not thread-safe stuff. */ |
| sigjmp_buf curl_jmpenv; |
| +curl_simple_lock curl_jmpenv_lock; |
| #endif |
| |
| /* lookup address, returns entry if found and not stale */ |
| @@ -832,7 +840,6 @@ enum resolve_t Curl_resolv(struct Curl_easy *data, |
| static |
| void alarmfunc(int sig) |
| { |
| - /* this is for "-ansi -Wall -pedantic" to stop complaining! (rabe) */ |
| (void)sig; |
| siglongjmp(curl_jmpenv, 1); |
| } |
| @@ -912,6 +919,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data, |
| This should be the last thing we do before calling Curl_resolv(), |
| as otherwise we'd have to worry about variables that get modified |
| before we invoke Curl_resolv() (and thus use "volatile"). */ |
| + curl_simple_lock_lock(&curl_jmpenv_lock); |
| + |
| if(sigsetjmp(curl_jmpenv, 1)) { |
| /* this is coming from a siglongjmp() after an alarm signal */ |
| failf(data, "name lookup timed out"); |
| @@ -980,6 +989,8 @@ enum resolve_t Curl_resolv_timeout(struct Curl_easy *data, |
| #endif |
| #endif /* HAVE_SIGACTION */ |
| |
| + curl_simple_lock_unlock(&curl_jmpenv_lock); |
| + |
| /* switch back the alarm() to either zero or to what it was before minus |
| the time we spent until now! */ |
| if(prev_alarm) { |