Skip to content
Permalink
Browse files

FTP: zero terminate the entry path even on bad input

... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254

Test 1152 added to verify.

Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
  • Loading branch information...
bagder committed Sep 24, 2017
1 parent 440dbcb commit 5ff2c5ff25750aba1a8f64fbcad8e5b891512584
Showing with 67 additions and 2 deletions.
  1. +5 −2 lib/ftp.c
  2. +1 −0 tests/data/Makefile.inc
  3. +61 −0 tests/data/test1152
@@ -2779,6 +2779,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
const size_t buf_size = data->set.buffer_size;
char *dir;
char *store;
bool entry_extracted = FALSE;

dir = malloc(nread + 1);
if(!dir)
@@ -2810,7 +2811,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
}
else {
/* end of path */
*store = '\0'; /* zero terminate */
entry_extracted = TRUE;
break; /* get out of this loop */
}
}
@@ -2819,7 +2820,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
store++;
ptr++;
}

*store = '\0'; /* zero terminate */
}
if(entry_extracted) {
/* If the path name does not look like an absolute path (i.e.: it
does not start with a '/'), we probably need some server-dependent
adjustments. For example, this is the case when connecting to
@@ -122,6 +122,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
test1152 \
\
test1160 test1161 \
test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
@@ -0,0 +1,61 @@
<testcase>
<info>
<keywords>
FTP
PASV
LIST
</keywords>
</info>
#
# Server-side
<reply>
<servercmd>
REPLY PWD 257 "just one
</servercmd>

# When doing LIST, we get the default list output hard-coded in the test
# FTP server
<data mode="text">
total 20
drwxr-xr-x 8 98 98 512 Oct 22 13:06 .
drwxr-xr-x 8 98 98 512 Oct 22 13:06 ..
drwxr-xr-x 2 98 98 512 May 2 1996 curl-releases
-r--r--r-- 1 0 1 35 Jul 16 1996 README
lrwxrwxrwx 1 0 1 7 Dec 9 1999 bin -> usr/bin
dr-xr-xr-x 2 0 1 512 Oct 1 1997 dev
drwxrwxrwx 2 98 98 512 May 29 16:04 download.html
dr-xr-xr-x 2 0 1 512 Nov 30 1995 etc
drwxrwxrwx 2 98 1 512 Oct 30 14:33 pub
dr-xr-xr-x 5 0 1 512 Oct 1 1997 usr
</data>
</reply>

#
# Client-side
<client>
<server>
ftp
</server>
<name>
FTP with uneven quote in PWD response
</name>
<command>
ftp://%HOSTIP:%FTPPORT/test-1152/
</command>
</client>

#
# Verify data after the test has been "shot"
<verify>
<protocol>
USER anonymous
PASS ftp@example.com
PWD
CWD test-1152
EPSV
TYPE A
LIST
QUIT
</protocol>
</verify>
</testcase>

0 comments on commit 5ff2c5f

Please sign in to comment.
You can’t perform that action at this time.