File curl-CVE-2020-19909.patch of Package curl.37304
From db0a0dfb0eb41d39273b0590b992df58f38b9a4d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Jul 2019 22:10:13 +0200
Subject: [PATCH] curl: cap the maximum allowed values for retry time arguments
... to avoid integer overflows later when multiplying with 1000 to
convert seconds to milliseconds.
Added test 1269 to verify.
Reported-by: Jason Lee
Closes #4166
---
src/tool_getparam.c | 4 ++--
src/tool_paramhlp.c | 22 ++++++++++++++++++++++
src/tool_paramhlp.h | 3 ++-
tests/data/Makefile.inc | 2 +-
tests/data/test1269 | 34 ++++++++++++++++++++++++++++++++++
5 files changed, 61 insertions(+), 4 deletions(-)
create mode 100644 tests/data/test1269
Index: curl-7.37.0/src/tool_getparam.c
===================================================================
--- curl-7.37.0.orig/src/tool_getparam.c
+++ curl-7.37.0/src/tool_getparam.c
@@ -787,12 +787,12 @@ ParameterError getparameter(char *flag,
return err;
break;
case 'h': /* --retry-delay */
- err = str2unum(&config->retry_delay, nextarg);
+ err = str2unummax(&config->retry_delay, nextarg, LONG_MAX/1000);
if(err)
return err;
break;
case 'i': /* --retry-max-time */
- err = str2unum(&config->retry_maxtime, nextarg);
+ err = str2unummax(&config->retry_maxtime, nextarg, LONG_MAX/1000);
if(err)
return err;
break;
Index: curl-7.37.0/src/tool_paramhlp.c
===================================================================
--- curl-7.37.0.orig/src/tool_paramhlp.c
+++ curl-7.37.0/src/tool_paramhlp.c
@@ -189,6 +189,28 @@ ParameterError str2unum(long *val, const
}
/*
+ * Parse the string and write the long in the given address if it is below the
+ * maximum allowed value. Return PARAM_OK on success, otherwise a parameter
+ * error enum. ONLY ACCEPTS POSITIVE NUMBERS!
+ *
+ * Since this function gets called with the 'nextarg' pointer from within the
+ * getparameter a lot, we must check it for NULL before accessing the str
+ * data.
+ */
+
+ParameterError str2unummax(long *val, const char *str, long max)
+{
+ ParameterError result = str2unum(val, str);
+ if(result != PARAM_OK)
+ return result;
+ if(*val > max)
+ return PARAM_BAD_NUMERIC;
+
+ return PARAM_OK;
+}
+
+
+/*
* Parse the string and write the double in the given address. Return PARAM_OK
* on success, otherwise a parameter specific error enum.
*
Index: curl-7.37.0/src/tool_paramhlp.h
===================================================================
--- curl-7.37.0.orig/src/tool_paramhlp.h
+++ curl-7.37.0/src/tool_paramhlp.h
@@ -33,6 +33,7 @@ void cleanarg(char *str);
ParameterError str2num(long *val, const char *str);
ParameterError str2unum(long *val, const char *str);
+ParameterError str2unummax(long *val, const char *str, long max);
ParameterError str2double(double *val, const char *str);
ParameterError str2udouble(double *val, const char *str);
Index: curl-7.37.0/tests/data/test1269
===================================================================
--- /dev/null
+++ curl-7.37.0/tests/data/test1269
@@ -0,0 +1,34 @@
+<testcase>
+<info>
+<keywords>
+--retry-delay
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+ <name>
+too large --retry-delay value
+ </name>
+ <command>
+--retry 3 --retry-delay 9223372036854776 http://%HOSTIP:%HTTPPORT/1269
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+2
+</errorcode>
+</verify>
+</testcase>
Index: curl-7.37.0/tests/data/Makefile.am
===================================================================
--- curl-7.37.0.orig/tests/data/Makefile.am
+++ curl-7.37.0/tests/data/Makefile.am
@@ -110,6 +110,7 @@ test1216 test1217 test1218 test1219 \
test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
test1236 test1237 test1238 test1239 test1240 \
+test1269 \
test1289 \
\
test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
Index: curl-7.37.0/tests/data/Makefile.in
===================================================================
--- curl-7.37.0.orig/tests/data/Makefile.in
+++ curl-7.37.0/tests/data/Makefile.in
@@ -418,6 +418,7 @@ test1216 test1217 test1218 test1219 \
test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
test1236 test1237 test1238 test1239 test1240 \
+test1269 \
test1289 \
\
test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \