File curl-CVE-2023-27535.patch of Package curl.37304
From 8f4608468b890dce2dad9f91d5607ee7e9c1aba1 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Mar 2023 17:47:06 +0100
Subject: [PATCH] ftp: add more conditions for connection reuse
Reported-by: Harry Sintonen
Closes #10730
---
lib/ftp.c | 28 ++++++++++++++++++++++++++--
lib/ftp.h | 5 +++++
lib/setopt.c | 2 +-
lib/url.c | 17 +++++++++++++++--
lib/urldata.h | 4 ++--
5 files changed, 49 insertions(+), 7 deletions(-)
Index: curl-7.37.0/lib/ftp.c
===================================================================
--- curl-7.37.0.orig/lib/ftp.c
+++ curl-7.37.0/lib/ftp.c
@@ -4179,6 +4179,8 @@ static CURLcode ftp_disconnect(struct co
}
freedirs(ftpc);
+ Curl_safefree(ftpc->account);
+ Curl_safefree(ftpc->alternative_to_user);
if(ftpc->prevpath) {
free(ftpc->prevpath);
ftpc->prevpath = NULL;
@@ -4498,6 +4500,7 @@ static CURLcode ftp_setup_connection(str
char *type;
char command;
struct FTP *ftp;
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
if(conn->bits.httpproxy && !data->set.tunnel_thru_httpproxy) {
/* Unless we have asked to tunnel ftp operations through the proxy, we
@@ -4521,10 +4524,29 @@ static CURLcode ftp_setup_connection(str
#endif
}
- conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
+ ftp = calloc(sizeof(struct FTP), 1);
if(NULL == ftp)
return CURLE_OUT_OF_MEMORY;
+ /* clone connection related data that is FTP specific */
+ if(data->set.str[STRING_FTP_ACCOUNT]) {
+ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
+ if(!ftpc->account) {
+ free(ftp);
+ return CURLE_OUT_OF_MEMORY;
+ }
+ }
+ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
+ ftpc->alternative_to_user =
+ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
+ if(!ftpc->alternative_to_user) {
+ Curl_safefree(ftpc->account);
+ free(ftp);
+ return CURLE_OUT_OF_MEMORY;
+ }
+ }
+ conn->data->req.protop = ftp;
+
data->state.path++; /* don't include the initial slash */
data->state.slash_removed = TRUE; /* we've skipped the slash */
@@ -4561,6 +4583,9 @@ static CURLcode ftp_setup_connection(str
ftp->bytecountp = &conn->data->req.bytecount;
ftp->transfer = FTPTRANSFER_BODY;
ftp->downloadsize = 0;
+ ftpc->known_filesize = -1; /* unknown size for now */
+ ftpc->use_ssl = data->set.use_ssl;
+ ftpc->ccc = data->set.ftp_ccc;
/* No need to duplicate user+password, the connectdata struct won't change
during a session, but we re-init them here since on subsequent inits
Index: curl-7.37.0/lib/ftp.h
===================================================================
--- curl-7.37.0.orig/lib/ftp.h
+++ curl-7.37.0/lib/ftp.h
@@ -117,6 +117,8 @@ struct FTP {
struct */
struct ftp_conn {
struct pingpong pp;
+ char *account;
+ char *alternative_to_user;
char *entrypath; /* the PWD reply when we logged on */
char **dirs; /* realloc()ed array for path components */
int dirdepth; /* number of entries used in the 'dirs' array */
@@ -142,6 +144,9 @@ struct ftp_conn {
ftpstate state; /* always use ftp.c:state() to change state! */
ftpstate state_saved; /* transfer type saved to be reloaded after
data connection is established */
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
+ * IMAP or POP3 or others! (type: curl_usessl) */
+ unsigned char ccc; /* ccc level for this connection */
curl_off_t retr_size_saved; /* Size of retrieved file saved */
char * server_os; /* The target server operating system. */
curl_off_t known_filesize; /* file size is different from -1, if wildcard
Index: curl-7.37.0/lib/url.c
===================================================================
--- curl-7.37.0.orig/lib/url.c
+++ curl-7.37.0/lib/url.c
@@ -2130,7 +2130,7 @@ CURLcode Curl_setopt(struct SessionHandl
/*
* Make transfers attempt to use SSL/TLS.
*/
- data->set.use_ssl = (curl_usessl)va_arg(param, long);
+ data->set.use_ssl = (unsigned char)va_arg(param, long);
break;
case CURLOPT_SSL_OPTIONS:
@@ -2925,6 +2925,7 @@ find_oldest_idle_connection_in_bundle(st
return conn_candidate;
}
+#ifdef USE_SSH
static bool ssh_config_matches(struct connectdata *one,
struct connectdata *two)
{
@@ -2935,6 +2936,9 @@ static bool ssh_config_matches(struct co
return TRUE;
#endif
}
+#else
+#define ssh_config_matches(x,y) FALSE
+#endif
/*
* Given one filled in connection struct (named needle), this function should
@@ -3076,12 +3080,6 @@ ConnectionExists(struct SessionHandle *d
}
}
- if(get_protocol_family(needle->handler) == CURLPROTO_SFTP ||
- get_protocol_family(needle->handler) == CURLPROTO_SCP ) {
- if(!ssh_config_matches(needle, check))
- continue;
- }
-
if((needle->handler->flags&PROTOPT_SSL) !=
(check->handler->flags&PROTOPT_SSL))
/* don't do mixed SSL and non-SSL connections */
@@ -3135,6 +3133,29 @@ ConnectionExists(struct SessionHandle *d
}
}
+ if (1) {
+ ; /* noop for the following ifdef and else clauses */
+ }
+#ifdef USE_SSH
+ else if(get_protocol_family(needle->handler->protocol) == CURLPROTO_SFTP ||
+ get_protocol_family(needle->handler->protocol) == CURLPROTO_SCP ) {
+ if(!ssh_config_matches(needle, check))
+ continue;
+ }
+#endif
+#ifndef CURL_DISABLE_FTP
+ else if(get_protocol_family(needle->handler->protocol) & PROTO_FAMILY_FTP) {
+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
+ if(Curl_timestrcmp(needle->proto.ftpc.account,
+ check->proto.ftpc.account) ||
+ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
+ check->proto.ftpc.alternative_to_user) ||
+ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
+ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
+ continue;
+ }
+#endif
+
if(!needle->bits.httpproxy || needle->handler->flags&PROTOPT_SSL ||
(needle->bits.httpproxy && check->bits.httpproxy &&
needle->bits.tunnel_proxy && check->bits.tunnel_proxy &&
Index: curl-7.37.0/lib/rawstr.c
===================================================================
--- curl-7.37.0.orig/lib/rawstr.c
+++ curl-7.37.0/lib/rawstr.c
@@ -131,6 +131,28 @@ void Curl_strntoupper(char *dest, const
} while(*src++ && --n);
}
+/*
+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
+ * function spends is a function of the shortest string, not of the contents.
+ */
+int Curl_timestrcmp(const char *a, const char *b)
+{
+ int match = 0;
+ int i = 0;
+
+ if(a && b) {
+ while(1) {
+ match |= a[i]^b[i];
+ if(!a[i] || !b[i])
+ break;
+ i++;
+ }
+ }
+ else
+ return a || b;
+ return match;
+}
+
/* Compare case-sensitive NUL-terminated strings, taking care of possible
* null pointers. Return true if arguments match.
*/
Index: curl-7.37.0/lib/rawstr.h
===================================================================
--- curl-7.37.0.orig/lib/rawstr.h
+++ curl-7.37.0/lib/rawstr.h
@@ -52,6 +52,7 @@ char Curl_raw_toupper(char in);
void Curl_strntoupper(char *dest, const char *src, size_t n);
bool Curl_safecmp(char *a, char *b);
+int Curl_timestrcmp(const char *first, const char *second);
#endif /* HEADER_CURL_RAWSTR_H */
