mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-02-23 15:10:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

krb5: return error properly on decode errors

Browse Source 
Bug: https://curl.se/docs/CVE-2022-32208.html
CVE-2022-32208
Reported-by: Harry Sintonen
Closes #9051
This commit is contained in:
Daniel Stenberg 2022-06-09 09:27:24 +02:00
parent 2b67a0a112
commit 6ecdf5136b
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/krb5.c
View File

@ -142,11 +142,8 @@ krb5_decode(void *app_data, void *buf, int len,
enc.value = buf; enc.value = buf;
enc.length = len; enc.length = len;
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
if(maj != GSS_S_COMPLETE) { if(maj != GSS_S_COMPLETE)
if(len >= 4)
strcpy(buf, "599 ");
return -1; return -1;
}
memcpy(buf, dec.value, dec.length); memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length); len = curlx_uztosi(dec.length);
@ -508,6 +505,7 @@ static CURLcode read_data(struct connectdata *conn,
{ {
int len; int len;
CURLcode result; CURLcode result;
int nread;
result = socket_read(fd, &len, sizeof(len)); result = socket_read(fd, &len, sizeof(len));
if(result) if(result)
@ -516,7 +514,10 @@ static CURLcode read_data(struct connectdata *conn,
if(len) { if(len) {
/* only realloc if there was a length */ /* only realloc if there was a length */
len = ntohl(len); len = ntohl(len);
buf->data = Curl_saferealloc(buf->data, len); if(len > CURL_MAX_INPUT_LENGTH)
len = 0;
else
buf->data = Curl_saferealloc(buf->data, len);
} }
if(!len || !buf->data) if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
@ -524,8 +525,11 @@ static CURLcode read_data(struct connectdata *conn,
result = socket_read(fd, buf->data, len); result = socket_read(fd, buf->data, len);
if(result) if(result)
return result; return result;
buf->size = conn->mech->decode(conn->app_data, buf->data, len, nread = conn->mech->decode(conn->app_data, buf->data, len,
conn->data_prot, conn); conn->data_prot, conn);
if(nread < 0)
return CURLE_RECV_ERROR;
buf->size = (size_t)nread;
buf->index = 0; buf->index = 0;
return CURLE_OK; return CURLE_OK;
} }