[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [gnurl] 108/116: wildcardmatch: fix heap buffer overflow in
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [gnurl] 108/116: wildcardmatch: fix heap buffer overflow in setcharset |
|
Date: |
Tue, 05 Dec 2017 14:52:18 +0100 |
This is an automated email from the git hooks/post-receive script.
ng0 pushed a commit to branch master
in repository gnurl.
commit 0b664ba968437715819bfe4c7ada5679d16ebbc3
Author: Daniel Stenberg <address@hidden>
AuthorDate: Fri Nov 10 08:52:45 2017 +0100
wildcardmatch: fix heap buffer overflow in setcharset
The code would previous read beyond the end of the pattern string if the
match pattern ends with an open bracket when the default pattern
matching function is used.
Detected by OSS-Fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4161
CVE-2017-8817
Bug: https://curl.haxx.se/docs/adv_2017-ae72.html
---
lib/curl_fnmatch.c | 9 +++------
tests/data/Makefile.inc | 2 +-
tests/data/test1163 | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 56 insertions(+), 7 deletions(-)
diff --git a/lib/curl_fnmatch.c b/lib/curl_fnmatch.c
index da83393b4..8a1e106c4 100644
--- a/lib/curl_fnmatch.c
+++ b/lib/curl_fnmatch.c
@@ -133,6 +133,9 @@ static int setcharset(unsigned char **p, unsigned char
*charset)
unsigned char c;
for(;;) {
c = **p;
+ if(!c)
+ return SETCHARSET_FAIL;
+
switch(state) {
case CURLFNM_SCHS_DEFAULT:
if(ISALNUM(c)) { /* ASCII value */
@@ -196,9 +199,6 @@ static int setcharset(unsigned char **p, unsigned char
*charset)
else
return SETCHARSET_FAIL;
}
- else if(c == '\0') {
- return SETCHARSET_FAIL;
- }
else {
charset[c] = 1;
(*p)++;
@@ -274,9 +274,6 @@ static int setcharset(unsigned char **p, unsigned char
*charset)
else if(c == ']') {
return SETCHARSET_OK;
}
- else if(c == '\0') {
- return SETCHARSET_FAIL;
- }
else if(ISPRINT(c)) {
charset[c] = 1;
(*p)++;
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 2a2ca508a..8383d4c64 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -125,7 +125,7 @@ test1136 test1137 test1138 test1139 test1140 test1141
test1142 test1143 \
test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
test1152 test1153 \
\
-test1160 test1161 test1162 \
+test1160 test1161 test1162 test1163 \
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
test1216 test1217 test1218 test1219 \
diff --git a/tests/data/test1163 b/tests/data/test1163
new file mode 100644
index 000000000..a109b511b
--- /dev/null
+++ b/tests/data/test1163
@@ -0,0 +1,52 @@
+<testcase>
+<info>
+<keywords>
+FTP
+RETR
+LIST
+wildcardmatch
+ftplistparser
+flaky
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+<data>
+</data>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<tool>
+lib576
+</tool>
+<name>
+FTP wildcard with pattern ending with an open-bracket
+</name>
+<command>
+"ftp://%HOSTIP:%FTPPORT/fully_simulated/DOS/*[][";
+</command>
+</client>
+<verify>
+<protocol>
+USER anonymous
+PASS address@hidden
+PWD
+CWD fully_simulated
+CWD DOS
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+# 78 == CURLE_REMOTE_FILE_NOT_FOUND
+<errorcode>
+78
+</errorcode>
+</verify>
+</testcase>
--
To stop receiving notification emails like this one, please contact
address@hidden
- [GNUnet-SVN] [gnurl] 79/116: INTERNALS: we may use libidn2 now, not libidn, (continued)
- [GNUnet-SVN] [gnurl] 79/116: INTERNALS: we may use libidn2 now, not libidn, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 96/116: test1264: verify URL with space in host name being rejected, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 26/116: auth: Added test cases for RFC7616, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 95/116: url: reject ASCII control characters and space in host names, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 78/116: zlib/brotli: only include header files in modules needing them, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 103/116: URL: update "file:" URL handling, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 83/116: openssl: fix too broad use of HAVE_OPAQUE_EVP_PKEY, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 70/116: RELEASE-NOTES: synced with 32828cc4f, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 98/116: connect: improve the bind error message, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 99/116: RELEASE-NOTES: synced with 31f18d272, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 108/116: wildcardmatch: fix heap buffer overflow in setcharset,
gnunet <=
- [GNUnet-SVN] [gnurl] 85/116: resolve: allow IP address within [] brackets, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 71/116: cmake: Correctly include curl.rc in Windows builds (#2064), gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 50/116: ntlm: avoid malloc(0) for zero length passwords, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 91/116: openssl: fix "Value stored to 'rc' is never read" scan-build error, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 57/116: src/Makefile.m32: fix typo in brotli lib customization, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 81/116: RELEASE-NOTES: synced with ae7369b6d, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 60/116: content_encoding: do not write 0 length data, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 40/116: url: fix CURLOPT_POSTFIELDSIZE arg value check to allow -1, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 86/116: examples/curlx: Fix code style, gnunet, 2017/12/05
- [GNUnet-SVN] [gnurl] 65/116: share: add support for sharing the connection cache, gnunet, 2017/12/05