commit d38adc8f60f9f08298498747bd20c7ec11bfcb3d
Author: Daniel Stenberg <daniel@haxx.se>
Date: Thu Jun 9 09:27:24 2022 +0200
[Backport] krb5: return error properly on decode errors
Offering: RTOS
CVE: CVE-2022-32208
Reference: upstream_commit_id=6ecdf5136b52af747e7bda08db9a748256b1cd09
DTS/AR: DTS2022062910035
type: LTS
reason: fix CVE-2022-32208 for curl.
weblink:https://github.com/curl/curl/commit/6ecdf5136b52af747e7bda08db9a748256b1cd09
Bug: https://curl.se/docs/CVE-2022-32208.html
CVE-2022-32208
Reported-by: Harry Sintonen
Closes #9051
Signed-off-by: laiyuanyuan <laiyuanyuan.lai@huawei.com>
@@ -146,11 +146,8 @@ krb5_decode(void *app_data, void *buf, int len,
enc.value = buf;
enc.length = len;
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
- if(maj != GSS_S_COMPLETE) {
- if(len >= 4)
- strcpy(buf, "599 ");
+ if(maj != GSS_S_COMPLETE)
return -1;
- }
memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length);
@@ -512,6 +509,7 @@ static CURLcode read_data(struct connectdata *conn,
{
int len;
CURLcode result;
+ int nread;
result = socket_read(fd, &len, sizeof(len));
if(result)
@@ -520,7 +518,10 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
- buf->data = Curl_saferealloc(buf->data, len);
+ if(len > CURL_MAX_INPUT_LENGTH)
+ len = 0;
+ else
+ buf->data = Curl_saferealloc(buf->data, len);
}
if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
@@ -528,8 +529,11 @@ static CURLcode read_data(struct connectdata *conn,
result = socket_read(fd, buf->data, len);
if(result)
return result;
- buf->size = conn->mech->decode(conn->app_data, buf->data, len,
- conn->data_prot, conn);
+ nread = conn->mech->decode(conn->app_data, buf->data, len,
+ conn->data_prot, conn);
+ if(nread < 0)
+ return CURLE_RECV_ERROR;
+ buf->size = (size_t)nread;
buf->index = 0;
return CURLE_OK;
}