Overview

File curl-CVE-2020-8231.patch of Package curl.28980

From 8c899c70575126151628b1455429cdb7224894fc Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Aug 2020 14:54:13 +0200
Subject: [PATCH] Curl_easy: remember last connection by id, not by pointer

CVE-2020-8231

Bug: https://curl.haxx.se/docs/CVE-2020-8231.html

Reported-by: Marc Aldorasi
---
 lib/connect.c | 19 ++++++++++---------
 lib/easy.c    |  3 +--
 lib/multi.c   | 10 ++++++----
 lib/url.c     |  2 +-
 lib/urldata.h |  2 +-
 5 files changed, 19 insertions(+), 17 deletions(-)

Index: curl-7.66.0/lib/connect.c
===================================================================
--- curl-7.66.0.orig/lib/connect.c
+++ curl-7.66.0/lib/connect.c
@@ -1328,15 +1328,15 @@ CURLcode Curl_connecthost(struct connect
 }
 
 struct connfind {
-  struct connectdata *tofind;
-  bool found;
+  long id_tofind;
+  struct connectdata *found;
 };
 
 static int conn_is_conn(struct connectdata *conn, void *param)
 {
   struct connfind *f = (struct connfind *)param;
-  if(conn == f->tofind) {
-    f->found = TRUE;
+  if(conn->connection_id == f->id_tofind) {
+    f->found = conn;
     return 1;
   }
   return 0;
@@ -1358,21 +1358,22 @@ curl_socket_t Curl_getconnectinfo(struct
    * - that is associated with a multi handle, and whose connection
    *   was detached with CURLOPT_CONNECT_ONLY
    */
-  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
-    struct connectdata *c = data->state.lastconnect;
+  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
+    struct connectdata *c;
     struct connfind find;
-    find.tofind = data->state.lastconnect;
-    find.found = FALSE;
+    find.id_tofind = data->state.lastconnect_id;
+    find.found = NULL;
 
     Curl_conncache_foreach(data, data->multi_easy?
                            &data->multi_easy->conn_cache:
                            &data->multi->conn_cache, &find, conn_is_conn);
 
     if(!find.found) {
-      data->state.lastconnect = NULL;
+      data->state.lastconnect_id = -1;
       return CURL_SOCKET_BAD;
     }
 
+    c = find.found;
     if(connp) {
       /* only store this if the caller cares for it */
       *connp = c;
Index: curl-7.66.0/lib/easy.c
===================================================================
--- curl-7.66.0.orig/lib/easy.c
+++ curl-7.66.0/lib/easy.c
@@ -828,8 +828,7 @@ struct Curl_easy *curl_easy_duphandle(st
 
   /* the connection cache is setup on demand */
   outcurl->state.conn_cache = NULL;
-
-  outcurl->state.lastconnect = NULL;
+  outcurl->state.lastconnect_id = -1;
 
   outcurl->progress.flags    = data->progress.flags;
   outcurl->progress.callback = data->progress.callback;
Index: curl-7.66.0/lib/multi.c
===================================================================
--- curl-7.66.0.orig/lib/multi.c
+++ curl-7.66.0/lib/multi.c
@@ -434,6 +434,7 @@ CURLMcode curl_multi_add_handle(struct C
     data->state.conn_cache = &data->share->conn_cache;
   else
     data->state.conn_cache = &multi->conn_cache;
+  data->state.lastconnect_id = -1;
 
 #ifdef USE_LIBPSL
   /* Do the same for PSL. */
@@ -639,11 +640,11 @@ static CURLcode multi_done(struct Curl_e
     /* the connection is no longer in use by this transfer */
     if(Curl_conncache_return_conn(conn)) {
       /* remember the most recently used connection */
-      data->state.lastconnect = conn;
+      data->state.lastconnect_id = conn->connection_id;
       infof(data, "%s\n", buffer);
     }
     else
-      data->state.lastconnect = NULL;
+      data->state.lastconnect_id = -1;
   }
 
   Curl_free_request_state(data);
Index: curl-7.66.0/lib/url.c
===================================================================
--- curl-7.66.0.orig/lib/url.c
+++ curl-7.66.0/lib/url.c
@@ -608,7 +608,7 @@ CURLcode Curl_open(struct Curl_easy **cu
       Curl_initinfo(data);
 
       /* most recent connection is not yet defined */
-      data->state.lastconnect = NULL;
+      data->state.lastconnect_id = -1;
 
       data->progress.flags |= PGRS_HIDE;
       data->state.current_speed = -1; /* init to negative == impossible */
Index: curl-7.66.0/lib/urldata.h
===================================================================
--- curl-7.66.0.orig/lib/urldata.h
+++ curl-7.66.0/lib/urldata.h
@@ -1274,7 +1274,7 @@ struct UrlState {
   /* buffers to store authentication data in, as parsed from input options */
   struct curltime keeps_speed; /* for the progress meter really */
 
-  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
+  long lastconnect_id; /* The last connection, -1 if undefined */
 
   char *headerbuff; /* allocated buffer to store headers in */
   size_t headersize;   /* size of the allocation */
openSUSE Build Service is sponsored by
Places