File curl-CVE-2023-27534.patch of Package curl

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2023-27534.patch of Package curl

From 4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 9 Mar 2023 16:22:11 +0100
Subject: [PATCH] curl_path: create the new path with dynbuf

Closes #10729
---
 lib/curl_path.c | 75 +++++++++++++++++++++++--------------------------
 1 file changed, 35 insertions(+), 40 deletions(-)

Index: curl-7.37.0/lib/ssh.c
===================================================================
--- curl-7.37.0.orig/lib/ssh.c
+++ curl-7.37.0/lib/ssh.c
@@ -87,6 +87,8 @@
 #define _MPRINTF_REPLACE /* use our functions only */
 #include <curl/mprintf.h>
 
+#include "dynbuf.h"
+
 #include "curl_memory.h"
 /* The last #include file should be: */
 #include "memdebug.h"
@@ -101,6 +103,10 @@
                          have their definition hidden well */
 #endif
 
+#ifndef MAX_SSHPATH_LEN
+#define MAX_SSHPATH_LEN 100000 /* arbitrary */
+#endif
+
 #define sftp_libssh2_last_error(s) curlx_ultosi(libssh2_sftp_last_error(s))
 
 #define sftp_libssh2_realpath(s,p,t,m) \
@@ -405,61 +411,58 @@ static CURLcode ssh_getworkingpath(struc
                                                    real path to work with */
 {
   struct SessionHandle *data = conn->data;
-  char *real_path = NULL;
   char *working_path;
   int working_path_len;
+  struct dynbuf npath;
 
   working_path = curl_easy_unescape(data, data->state.path, 0,
                                     &working_path_len);
   if(!working_path)
     return CURLE_OUT_OF_MEMORY;
 
+  /* new path to switch to in case we need to */
+  Curl_dyn_init(&npath, MAX_SSHPATH_LEN);
+
   /* Check for /~/ , indicating relative to the user's home directory */
-  if(conn->handler->protocol & CURLPROTO_SCP) {
-    real_path = malloc(working_path_len+1);
-    if(real_path == NULL) {
+  if((data->easy_conn->handler->protocol & CURLPROTO_SCP) &&
+     (working_path_len > 3) && (!memcmp(working_path, "/~/", 3))) {
+    /* It is referenced to the home directory, so strip the leading '/~/' */
+    if(Curl_dyn_addn(&npath, &working_path[3], working_path_len - 3)) {
       free(working_path);
       return CURLE_OUT_OF_MEMORY;
     }
-    if((working_path_len > 3) && (!memcmp(working_path, "/~/", 3)))
-      /* It is referenced to the home directory, so strip the leading '/~/' */
-      memcpy(real_path, working_path+3, 4 + working_path_len-3);
-    else
-      memcpy(real_path, working_path, 1 + working_path_len);
   }
-  else if(conn->handler->protocol & CURLPROTO_SFTP) {
-    if((working_path_len > 1) && (working_path[1] == '~')) {
-      size_t homelen = strlen(homedir);
-      real_path = malloc(homelen + working_path_len + 1);
-      if(real_path == NULL) {
-        free(working_path);
-        return CURLE_OUT_OF_MEMORY;
-      }
-      /* It is referenced to the home directory, so strip the
-         leading '/' */
-      memcpy(real_path, homedir, homelen);
-      real_path[homelen] = '/';
-      real_path[homelen+1] = '\0';
-      if(working_path_len > 3) {
-        memcpy(real_path+homelen+1, working_path + 3,
-               1 + working_path_len -3);
-      }
+  else if((data->easy_conn->handler->protocol & CURLPROTO_SFTP) &&
+	  (working_path_len > 2) && !memcmp(working_path, "/~/", 3)) {
+    size_t len;
+    const char *p;
+    int copyfrom = 3;
+    if(Curl_dyn_add(&npath, homedir)) {
+      free(working_path);
+      return CURLE_OUT_OF_MEMORY;
     }
-    else {
-      real_path = malloc(working_path_len+1);
-      if(real_path == NULL) {
-        free(working_path);
-        return CURLE_OUT_OF_MEMORY;
-      }
-      memcpy(real_path, working_path, 1+working_path_len);
+    /* Copy a separating '/' if homedir does not end with one */
+    len = Curl_dyn_len(&npath);
+    p = Curl_dyn_ptr(&npath);
+    if(len && (p[len-1] != '/'))
+      copyfrom = 2;
+
+    if(Curl_dyn_addn(&npath,
+		     &working_path[copyfrom],
+		     working_path_len - copyfrom)) {
+      free(working_path);
+      return CURLE_OUT_OF_MEMORY;
     }
   }
 
-  free(working_path);
-
-  /* store the pointer for the caller to receive */
-  *path = real_path;
+  if(Curl_dyn_len(&npath)) {
+    free(working_path);
 
+    /* store the pointer for the caller to receive */
+    *path = Curl_dyn_ptr(&npath);
+  }
+  else
+    *path = working_path;
   return CURLE_OK;
 }

Places

File curl-CVE-2023-27534.patch of Package curl

Places