File curl-CVE-2022-32206.patch of Package curl.25399
From 3a09fbb7f264c67c438d01a30669ce325aa508e2 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 16 May 2022 16:28:13 +0200
Subject: [PATCH] content_encoding: return error on too many compression steps
The max allowed steps is arbitrarily set to 5.
Bug: https://curl.se/docs/CVE-2022-32206.html
CVE-2022-32206
Reported-by: Harry Sintonen
Closes #9049
---
lib/content_encoding.c | 9 +++++++++
1 file changed, 9 insertions(+)
Index: curl-7.66.0/lib/content_encoding.c
===================================================================
--- curl-7.66.0.orig/lib/content_encoding.c
+++ curl-7.66.0/lib/content_encoding.c
@@ -934,6 +934,9 @@ static const content_encoding *find_enco
return NULL;
}
+/* allow no more than 5 "chained" compression steps */
+#define MAX_ENCODE_STACK 5
+
/* Set-up the unencoding stack from the Content-Encoding header value.
* See RFC 7231 section 3.1.2.2. */
CURLcode Curl_build_unencoding_stack(struct connectdata *conn,
@@ -941,6 +944,7 @@ CURLcode Curl_build_unencoding_stack(str
{
struct Curl_easy *data = conn->data;
struct SingleRequest *k = &data->req;
+ int counter = 0;
do {
const char *name;
@@ -975,6 +979,12 @@ CURLcode Curl_build_unencoding_stack(str
if(!encoding)
encoding = &error_encoding; /* Defer error at stack use. */
+ if(++counter >= MAX_ENCODE_STACK) {
+ failf(data, "Reject response due to %u content encodings",
+ counter);
+ return CURLE_BAD_CONTENT_ENCODING;
+ }
+
/* Stack the unencoding stage. */
writer = new_unencoding_writer(conn, encoding, k->writer_stack);
if(!writer)