Skip to content

NULL deref when netrc is enabled#17659

Closed
z2-2z wants to merge 3 commits intocurl:masterfrom
z2-2z:master
Closed

NULL deref when netrc is enabled#17659
z2-2z wants to merge 3 commits intocurl:masterfrom
z2-2z:master

Conversation

@z2-2z
Copy link
Copy Markdown
Contributor

@z2-2z z2-2z commented Jun 18, 2025

A NULL deref exists in lib/url.c that can be triggered when netrc is enabled and a specially crafted netrc-file is given to libcurl.
The bug is in line 2830:

NETRCcode ret = Curl_parsenetrc(&data->state.netrc, conn->host.name,
                                      userp, passwdp,
                                      data->set.str[STRING_NETRC_FILE]);

// ...

if(str_has_ctrl(*userp) || str_has_ctrl(*passwdp)) {

  // ...

}

There is a path through Curl_parsenetrc that returns NETRC_OK but leaves *userp as NULL and only sets *passwdp, which then later triggers a NULL-deref in str_has_ctrl(*userp).

To reproduce this, use this netrc file and the following client:

#include "curl/curl.h"

int main (int argc, char** argv) {
    CURL* curl = curl_easy_init();
    curl_easy_setopt(curl, CURLOPT_URL, "ftp://127.0.0.1/");
    curl_easy_setopt(curl, CURLOPT_NETRC, CURL_NETRC_REQUIRED);
    curl_easy_setopt(curl, CURLOPT_NETRC_FILE, "<attached-file>");
    curl_easy_perform(curl);
    curl_easy_cleanup(curl);
}

@testclutch

This comment was marked as outdated.

Sign in to view
bagder pushed a commit that referenced this pull request Jun 20, 2025
@z2-2z @bagder
url: fix NULL deref with bad password when no user is provided
335e447 
Closes #17659
@bagder bagder mentioned this pull request Jun 20, 2025
Closed
@bagder bagder closed this in f9548bf Jun 20, 2025
bagder added a commit that referenced this pull request Jun 20, 2025
@bagder
test1599: verify a bad FTP password with no user
149d436 
Verifies the fix from #17659

Closes #17687
@bagder
Copy link
Copy Markdown
Member

bagder commented Jun 20, 2025

Thanks!

denandz pushed a commit to denandz/curl that referenced this pull request Jun 21, 2025
@z2-2z @denandz
url: fix NULL deref with bad password when no user is provided
051a3c2 
Closes curl#17659
denandz pushed a commit to denandz/curl that referenced this pull request Jun 21, 2025
@bagder @denandz
test1599: verify a bad FTP password with no user
492e2a4 
Verifies the fix from curl#17659

Closes curl#17687
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@z2-2z @testclutch @bagder