mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-24 14:15:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

socks: better buffer size checks for socks4a user and hostname

Browse Source 
Also limit the proxy user name to 255 bytes, which is the same limit as
in SOCKS5.

Reported-by: sd0 on hackerone
Closes #12139
This commit is contained in:
Daniel Stenberg 2023-10-13 00:15:29 +02:00
parent 0b6d9ac8d9
commit 01057d6161
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/socks.c
View File

@ -402,8 +402,11 @@ CONNECT_REQ_INIT:
socksreq[8] = 0; /* ensure empty userid is NUL-terminated */
if(sx->proxy_user) {
size_t plen = strlen(sx->proxy_user);
if(plen >= (size_t)data->set.buffer_size - 8) {
failf(data, "Too long SOCKS proxy user name, can't use");
if(plen > 255) {
/* there is no real size limit to this field in the protocol, but
SOCKS5 limits the proxy user field to 255 bytes and it seems likely
that a longer field is either a mistake or malicous input */
failf(data, "Too long SOCKS proxy user name");
return CURLPX_LONG_USER;
}
/* copy the proxy name WITH trailing zero */
@ -426,7 +429,8 @@ CONNECT_REQ_INIT:
socksreq[7] = 1;
/* append hostname */
hostnamelen = strlen(sx->hostname) + 1; /* length including NUL */
if(hostnamelen <= 255)
if((hostnamelen <= 255) &&
(packetsize + hostnamelen < data->set.buffer_size))
strcpy((char *)socksreq + packetsize, sx->hostname);
else {
failf(data, "SOCKS4: too long host name");