Skip to content

/ curl

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Socks5 Buffer Overflow #3737

Closed
XmiliaH opened this issue Apr 5, 2019 · 2 comments
Closed

Socks5 Buffer Overflow #3737

XmiliaH opened this issue Apr 5, 2019 · 2 comments
Labels
connecting & proxies crash

Comments

@XmiliaH
Copy link

@XmiliaH XmiliaH commented Apr 5, 2019

I did this

curl -x socks5://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:BBBBBBBBBBBBBBBBBBBBBB@127.0.0.1:5555/ google.com

I had a custom script running at 5555 which just sends [5,2] (Use Password) on first packet and on then second [5,1] (Will cause an error + return)

And got:
*** stack smashing detected ***: terminated
Or when you use a longer username:
*** buffer overflow detected ***: curl terminated

I expected the following

Curl to give an error or to truncate the password + username

curl/libcurl version

curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

operating system

Ubuntu 18.04.2 LTS

Problematic Codeline

https://github.com/curl/curl/blob/master/lib/socks.c#L531
@bagder
Copy link
Member

@bagder bagder commented Apr 5, 2019
edited

I cannot reproduce with that command line on 7.64.1
@bagder bagder added the crash label Apr 5, 2019
@bagder
Copy link
Member

@bagder bagder commented Apr 5, 2019

Ah, I guess I need some sort of proxy running too...
bagder added a commit that referenced this issue Apr 5, 2019
@bagder
socks5: make sure the data fits in the output buffer
Verified
This commit was signed with a verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
baed8f7 
... so that excessive user name and passwords won't overflow it.

Reported-by: XmiliaH on github
Fixes #3737
@bagder bagder mentioned this issue Apr 5, 2019
Closed
bagder added a commit that referenced this issue Apr 6, 2019
@bagder
socks5: user name and passwords must be shorter than 256
Verified
This commit was signed with a verified signature.
bagder Daniel Stenberg
GPG key ID: 5CC908FDB71E12C2 Learn about signing commits
Loading status checks…
d385b4f 
bytes... since the protocol needs to store the length in a single byte field.

Reported-by: XmiliaH on github
Fixes #3737
@bagder bagder closed this in f4b6901 Apr 7, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jul 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
connecting & proxies crash
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

socks5: make sure the data fits in the output buffer
2 participants
@bagder @XmiliaH
You can’t perform that action at this time.