File curl-CVE-2020-8231.patch of Package curl.19331

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2020-8231.patch of Package curl.19331

From 8c899c70575126151628b1455429cdb7224894fc Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Aug 2020 14:54:13 +0200
Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer

CVE-2020-8231

Bug: https://curl.haxx.se/docs/CVE-2020-8231.html

Index: curl-7.37.0/lib/connect.c
===================================================================
--- curl-7.37.0.orig/lib/connect.c
+++ curl-7.37.0/lib/connect.c
@@ -1160,15 +1160,15 @@ CURLcode Curl_connecthost(struct connect
 }
 
 struct connfind {
-  struct connectdata *tofind;
-  bool found;
+  long id_tofind;
+  struct connectdata *found;
 };
 
 static int conn_is_conn(struct connectdata *conn, void *param)
 {
   struct connfind *f = (struct connfind *)param;
-  if(conn == f->tofind) {
-    f->found = TRUE;
+  if(conn->connection_id == f->id_tofind) {
+    f->found = conn;
     return 1;
   }
   return 0;
@@ -1189,19 +1189,20 @@ curl_socket_t Curl_getconnectinfo(struct
 
   /* this only works for an easy handle that has been used for
      curl_easy_perform()! */
-  if(data->state.lastconnect && data->multi_easy) {
-    struct connectdata *c = data->state.lastconnect;
+  if((data->state.lastconnect_id != -1) && data->multi_easy) {
+    struct connectdata *c;
     struct connfind find;
-    find.tofind = data->state.lastconnect;
-    find.found = FALSE;
+    find.id_tofind = data->state.lastconnect_id;
+    find.found = NULL;
 
     Curl_conncache_foreach(data->multi_easy->conn_cache, &find, conn_is_conn);
 
     if(!find.found) {
-      data->state.lastconnect = NULL;
+      data->state.lastconnect_id = -1;
       return CURL_SOCKET_BAD;
     }
 
+    c = find.found;
     if(connp)
       /* only store this if the caller cares for it */
       *connp = c;
Index: curl-7.37.0/lib/easy.c
===================================================================
--- curl-7.37.0.orig/lib/easy.c
+++ curl-7.37.0/lib/easy.c
@@ -895,8 +895,7 @@ CURL *curl_easy_duphandle(CURL *incurl)
 
   /* the connection cache is setup on demand */
   outcurl->state.conn_cache = NULL;
-
-  outcurl->state.lastconnect = NULL;
+  outcurl->state.lastconnect_id = -1;
 
   outcurl->progress.flags    = data->progress.flags;
   outcurl->progress.callback = data->progress.callback;
Index: curl-7.37.0/lib/multi.c
===================================================================
--- curl-7.37.0.orig/lib/multi.c
+++ curl-7.37.0/lib/multi.c
@@ -403,7 +403,7 @@ CURLMcode curl_multi_add_handle(CURLM *m
 
   /* Point to the multi's connection cache */
   data->state.conn_cache = multi->conn_cache;
-
+  data->state.lastconnect_id = -1;
   data->state.infilesize = data->set.filesize;
 
   /* This adds the new entry at the 'end' of the doubly-linked circular
Index: curl-7.37.0/lib/url.c
===================================================================
--- curl-7.37.0.orig/lib/url.c
+++ curl-7.37.0/lib/url.c
@@ -632,7 +632,7 @@ CURLcode Curl_open(struct SessionHandle
     Curl_convert_init(data);
 
     /* most recent connection is not yet defined */
-    data->state.lastconnect = NULL;
+    data->state.lastconnect_id = -1;
 
     data->progress.flags |= PGRS_HIDE;
     data->state.current_speed = -1; /* init to negative == impossible */
@@ -5889,14 +5889,14 @@ CURLcode Curl_done(struct connectdata **
     /* the connection is no longer in use */
     if(ConnectionDone(data, conn)) {
       /* remember the most recently used connection */
-      data->state.lastconnect = conn;
+      data->state.lastconnect_id = conn->connection_id;
 
       infof(data, "Connection #%ld to host %s left intact\n",
             conn->connection_id,
             conn->bits.httpproxy?conn->proxy.dispname:conn->host.dispname);
     }
     else
-      data->state.lastconnect = NULL;
+      data->state.lastconnect_id = -1;
   }
 
   *connp = NULL; /* to make the caller of this function better detect that
Index: curl-7.37.0/lib/urldata.h
===================================================================
--- curl-7.37.0.orig/lib/urldata.h
+++ curl-7.37.0/lib/urldata.h
@@ -1210,7 +1210,7 @@ struct UrlState {
   /* buffers to store authentication data in, as parsed from input options */
   struct timeval keeps_speed; /* for the progress meter really */
 
-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
+  long lastconnect_id; /* The last connection, -1 if undefined */
 
   char *headerbuff; /* allocated buffer to store headers in */
   size_t headersize;   /* size of the allocation */

Places

File curl-CVE-2020-8231.patch of Package curl.19331

Places