File curl-CVE-2023-27533-no-sscanf.patch of Package curl

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2023-27533-no-sscanf.patch of Package curl

From 0c28ba2faae2d7da780a66d2446045a560192cdc Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Feb 2023 18:14:35 +0100
Subject: [PATCH] telnet: parse telnet options without sscanf

Closes #10596
---
 lib/telnet.c | 136 +++++++++++++++++++++++++++++----------------------
 1 file changed, 77 insertions(+), 59 deletions(-)

Index: curl-7.37.0/lib/telnet.c
===================================================================
--- curl-7.37.0.orig/lib/telnet.c
+++ curl-7.37.0/lib/telnet.c
@@ -822,18 +822,16 @@ static CURLcode check_telnet_options(str
 {
   struct curl_slist *head;
   struct curl_slist *beg;
-  char option_keyword[128] = "";
-  char option_arg[256] = "";
   struct SessionHandle *data = conn->data;
   struct TELNET *tn = (struct TELNET *)conn->data->req.protop;
   CURLcode result = CURLE_OK;
-  int binary_option;
 
   /* Add the user name as an environment variable if it
      was given on the command line */
   if(conn->bits.user_passwd) {
-    snprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user);
-    beg = curl_slist_append(tn->telnet_vars, option_arg);
+    char buffer[256];
+    snprintf(buffer, sizeof(buffer), "USER,%s", data->easy_conn->user);
+    beg = curl_slist_append(tn->telnet_vars, buffer);
     if(!beg) {
       curl_slist_free_all(tn->telnet_vars);
       tn->telnet_vars = NULL;
@@ -843,69 +841,88 @@ static CURLcode check_telnet_options(str
     tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
   }
 
-  for(head = data->set.telnet_options; head; head=head->next) {
-    if(sscanf(head->data, "%127[^= ]%*[ =]%255s",
-              option_keyword, option_arg) == 2) {
-
-      /* Terminal type */
-      if(Curl_raw_equal(option_keyword, "TTYPE")) {
-        strncpy(tn->subopt_ttype, option_arg, 31);
-        tn->subopt_ttype[31] = 0; /* String termination */
-        tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;
-        continue;
-      }
-
-      /* Display variable */
-      if(Curl_raw_equal(option_keyword, "XDISPLOC")) {
-        strncpy(tn->subopt_xdisploc, option_arg, 127);
-        tn->subopt_xdisploc[127] = 0; /* String termination */
-        tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;
-        continue;
-      }
-
-      /* Environment variable */
-      if(Curl_raw_equal(option_keyword, "NEW_ENV")) {
-        beg = curl_slist_append(tn->telnet_vars, option_arg);
-        if(!beg) {
-          result = CURLE_OUT_OF_MEMORY;
-          break;
+  for(head = data->set.telnet_options; head && !result; head = head->next) {
+    size_t olen;
+    char *option = head->data;
+    char *arg;
+    char *sep = strchr(option, '=');
+    if(sep) {
+      olen = sep - option;
+      arg = ++sep;
+      switch(olen) {
+      case 5:
+        /* Terminal type */
+        if(Curl_strncasecompare(option, "TTYPE", 5)) {
+          strncpy(tn->subopt_ttype, arg, 31);
+          tn->subopt_ttype[31] = 0; /* String termination */
+          tn->us_preferred[CURL_TELOPT_TTYPE] = CURL_YES;
         }
-        tn->telnet_vars = beg;
-        tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
-        continue;
-      }
-
-          /* Window Size */
-      if(Curl_raw_equal(option_keyword, "WS")) {
-        if(sscanf(option_arg, "%hu%*[xX]%hu",
-                  &tn->subopt_wsx, &tn->subopt_wsy) == 2)
-          tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
-        else {
-          failf(data, "Syntax error in telnet option: %s", head->data);
-          result = CURLE_TELNET_OPTION_SYNTAX;
-          break;
+	else
+	  result = CURLE_UNKNOWN_OPTION;
+	break;
+
+       case 8:
+        /* Display variable */
+        if(Curl_strncasecompare(option, "XDISPLOC", 8)) {
+          strncpy(tn->subopt_xdisploc, arg, 127);
+          tn->subopt_xdisploc[127] = 0; /* String termination */
+          tn->us_preferred[CURL_TELOPT_XDISPLOC] = CURL_YES;
+	}
+	else
+	  result = CURLE_UNKNOWN_OPTION;
+	break;
+
+      case 7:
+       /* Environment variable */
+        if(Curl_strncasecompare(option, "NEW_ENV", 7)) {
+          beg = curl_slist_append(tn->telnet_vars, arg);
+          if(!beg) {
+            result = CURLE_OUT_OF_MEMORY;
+            break;
+          }
+          tn->telnet_vars = beg;
+          tn->us_preferred[CURL_TELOPT_NEW_ENVIRON] = CURL_YES;
         }
-        continue;
-      }
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
 
-      /* To take care or not of the 8th bit in data exchange */
-      if(Curl_raw_equal(option_keyword, "BINARY")) {
-        binary_option=atoi(option_arg);
-        if(binary_option!=1) {
-          tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
-          tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+       case 2:
+        /* Window Size */
+        if(Curl_strncasecompare(option, "WS", 2)) {
+          if(sscanf(arg, "%hu%*[xX]%hu",
+                    &tn->subopt_wsx, &tn->subopt_wsy) == 2)
+            tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
+          else {
+            failf(data, "Syntax error in telnet option: %s", head->data);
+            result = CURLE_TELNET_OPTION_SYNTAX;
+          }
+	}
+	else
+	  result = CURLE_UNKNOWN_OPTION;
+	break;
+
+       case 6:
+        /* To take care or not of the 8th bit in data exchange */
+        if(Curl_strncasecompare(option, "BINARY", 6)) {
+          int binary_option = atoi(arg);
+          if(binary_option != 1) {
+            tn->us_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+            tn->him_preferred[CURL_TELOPT_BINARY] = CURL_NO;
+          }
         }
-        continue;
+        else
+          result = CURLE_UNKNOWN_OPTION;
+        break;
+      default:
+        failf(data, "Unknown telnet option %s", head->data);
+        result = CURLE_UNKNOWN_OPTION;
+        break;
       }
-
-      failf(data, "Unknown telnet option %s", head->data);
-      result = CURLE_UNKNOWN_TELNET_OPTION;
-      break;
     }
     else {
       failf(data, "Syntax error in telnet option: %s", head->data);
       result = CURLE_TELNET_OPTION_SYNTAX;
-      break;
     }
   }
 
Index: curl-7.37.0/lib/rawstr.c
===================================================================
--- curl-7.37.0.orig/lib/rawstr.c
+++ curl-7.37.0/lib/rawstr.c
@@ -59,6 +59,22 @@ int Curl_strcasecompare(const char *firs
   return (Curl_raw_toupper(*first) == Curl_raw_toupper(*second));
 }
 
+int Curl_strncasecompare(const char *first, const char *second, size_t max)
+{
+  while(*first && *second && max) {
+    if(Curl_raw_toupper(*first) != Curl_raw_toupper(*second)) {
+      break;
+    }
+    max--;
+    first++;
+    second++;
+  }
+  if(0 == max)
+    return 1; /* they are equal this far */
+
+  return Curl_raw_toupper(*first) == Curl_raw_toupper(*second);
+}
+
 /*
  * Curl_raw_equal() is for doing "raw" case insensitive strings. This is meant
  * to be locale independent and only compare strings we know are safe for
@@ -123,4 +139,4 @@ bool Curl_safecmp(char *a, char *b)
   if(a && b)
     return !strcmp(a, b);
   return !a && !b;
-}
\ No newline at end of file
+}
Index: curl-7.37.0/lib/rawstr.h
===================================================================
--- curl-7.37.0.orig/lib/rawstr.h
+++ curl-7.37.0/lib/rawstr.h
@@ -44,5 +44,7 @@ char Curl_raw_toupper(char in);
 void Curl_strntoupper(char *dest, const char *src, size_t n);
 bool Curl_safecmp(char *a, char *b);
 
+int Curl_strncasecompare(const char *first, const char *second, size_t max);
+
 #endif /* HEADER_CURL_RAWSTR_H */

Places

File curl-CVE-2023-27533-no-sscanf.patch of Package curl

Places