File curl-CVE-2024-9681.patch of Package curl.36915

From a94973805df96269bf3f3bf0a20ccb9887313316 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 9 Oct 2024 10:04:35 +0200
Subject: [PATCH] hsts: improve subdomain handling

 - on load, only replace existing HSTS entries if there is a full host match
 - on matching, prefer a full host match and secondary the longest tail subdomain match

Closes #15210
---
 lib/hsts.c          | 14 ++++++++++----
 tests/data/test1660 |  2 +-
 2 files changed, 11 insertions(+), 5 deletions(-)

Index: curl-8.0.1/lib/hsts.c
===================================================================
--- curl-8.0.1.orig/lib/hsts.c
+++ curl-8.0.1/lib/hsts.c
@@ -248,12 +248,14 @@ CURLcode Curl_hsts_parse(struct hsts *h,
 struct stsentry *Curl_hsts(struct hsts *h, const char *hostname,
                            bool subdomain)
 {
+  struct stsentry *bestsub = NULL;
   if(h) {
     char buffer[MAX_HSTS_HOSTLEN + 1];
     time_t now = time(NULL);
     size_t hlen = strlen(hostname);
     struct Curl_llist_element *e;
     struct Curl_llist_element *n;
+    size_t blen = 0;
 
     if((hlen > MAX_HSTS_HOSTLEN) || !hlen)
       return NULL;
@@ -266,6 +268,7 @@ struct stsentry *Curl_hsts(struct hsts *
 
     for(e = h->list.head; e; e = n) {
       struct stsentry *sts = e->ptr;
+      size_t ntail;
       n = e->next;
       if(sts->expires <= now) {
         /* remove expired entries */
@@ -273,20 +276,23 @@ struct stsentry *Curl_hsts(struct hsts *
         hsts_free(sts);
         continue;
       }
-      if(subdomain && sts->includeSubDomains) {
-        size_t ntail = strlen(sts->host);
-        if(ntail < hlen) {
-          size_t offs = hlen - ntail;
-          if((hostname[offs-1] == '.') &&
-             strncasecompare(&hostname[offs], sts->host, ntail))
-            return sts;
+      ntail = strlen(sts->host);
+      if((subdomain && sts->includeSubDomains) && (ntail < hlen)) {
+        size_t offs = hlen - ntail;
+        if((hostname[offs-1] == '.') &&
+           strncasecompare(&hostname[offs], sts->host, ntail) &&
+           (ntail > blen)) {
+          /* save the tail match with the longest tail */
+          bestsub = sts;
+          blen = ntail;
         }
       }
-      if(strcasecompare(hostname, sts->host))
+      /* avoid strcasecompare because the host name is not null terminated */
+      if((hlen == ntail) && strncasecompare(hostname, sts->host, hlen))
         return sts;
     }
   }
-  return NULL; /* no match */
+  return bestsub;
 }
 
 /*
@@ -438,7 +444,7 @@ static CURLcode hsts_add(struct hsts *h,
     e = Curl_hsts(h, p, subdomain);
     if(!e)
       result = hsts_create(h, p, subdomain, expires);
-    else {
+    else if(strcasecompare(p, e->host)) {
       /* the same host name, use the largest expire time */
       if(expires > e->expires)
         e->expires = expires;
Index: curl-8.0.1/tests/data/test1660
===================================================================
--- curl-8.0.1.orig/tests/data/test1660
+++ curl-8.0.1/tests/data/test1660
@@ -52,7 +52,7 @@ this.example [this.example]: 1548400797
 Input 12: error 43
 Input 13: error 43
 Input 14: error 43
-3.example.com [example.com]: 1569905261 includeSubDomains
+3.example.com [3.example.com]: 1569905261 includeSubDomains
 3.example.com [example.com]: 1569905261 includeSubDomains
 foo.example.com [example.com]: 1569905261 includeSubDomains
 'foo.xample.com' is not HSTS