FTP: zero terminate the entry path even on bad input

... a single double quote could leave the entry path buffer without a zero terminating byte. CVE-2017-1000254 Test 1152 added to verify. Reported-by: Max Dymond Bug: https://curl.haxx.se/docs/adv_20171004.html
2024-11-27 05:50:21 +08:00 · 2017-09-25 00:35:22 +02:00 · 2017-09-25 00:35:22 +02:00 · 5ff2c5ff25
commit 5ff2c5ff25
parent 440dbcb06e
3 changed files with 67 additions and 2 deletions
--- a/lib/ftp.c
+++ b/lib/ftp.c
@ -2779,6 +2779,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
        const size_t buf_size = data->set.buffer_size;
        char *dir;
        char *store;
+        bool entry_extracted = FALSE;

        dir = malloc(nread + 1);
        if(!dir)
@ -2810,7 +2811,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
              }
              else {
                /* end of path */
-                *store = '\0'; /* zero terminate */
+                entry_extracted = TRUE;
                break; /* get out of this loop */
              }
            }
@ -2819,7 +2820,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
            store++;
            ptr++;
          }
-
+          *store = '\0'; /* zero terminate */
+        }
+        if(entry_extracted) {
          /* If the path name does not look like an absolute path (i.e.: it
             does not start with a '/'), we probably need some server-dependent
             adjustments. For example, this is the case when connecting to
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@ -122,6 +122,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \
 test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \
 test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \
 test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \
+test1152 \
 \
 test1160 test1161 \
 test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
--- a/tests/data/test1152
+++ b/tests/data/test1152
@ -0,0 +1,61 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+LIST
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+<servercmd>
+REPLY PWD 257 "just one
+</servercmd>
+
+# When doing LIST, we get the default list output hard-coded in the test
+# FTP server
+<data mode="text">
+total 20
+drwxr-xr-x   8 98       98           512 Oct 22 13:06 .
+drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..
+drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases
+-r--r--r--   1 0        1             35 Jul 16  1996 README
+lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin
+dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev
+drwxrwxrwx   2 98       98           512 May 29 16:04 download.html
+dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc
+drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub
+dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr
+</data>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP with uneven quote in PWD response
+ </name>
+ <command>
+ftp://%HOSTIP:%FTPPORT/test-1152/
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+CWD test-1152
+EPSV
+TYPE A
+LIST
+QUIT
+</protocol>
+</verify>
+</testcase>