File curl-CVE-2020-19909.patch of Package curl.30322

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2020-19909.patch of Package curl.30322

From db0a0dfb0eb41d39273b0590b992df58f38b9a4d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Jul 2019 22:10:13 +0200
Subject: [PATCH] curl: cap the maximum allowed values for retry time arguments

... to avoid integer overflows later when multiplying with 1000 to
convert seconds to milliseconds.

Added test 1269 to verify.

Reported-by: Jason Lee
Closes #4166
---
 src/tool_getparam.c     |  4 ++--
 src/tool_paramhlp.c     | 22 ++++++++++++++++++++++
 src/tool_paramhlp.h     |  3 ++-
 tests/data/Makefile.inc |  2 +-
 tests/data/test1269     | 34 ++++++++++++++++++++++++++++++++++
 5 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 tests/data/test1269

Index: curl-7.37.0/src/tool_getparam.c
===================================================================
--- curl-7.37.0.orig/src/tool_getparam.c
+++ curl-7.37.0/src/tool_getparam.c
@@ -787,12 +787,12 @@ ParameterError getparameter(char *flag,
           return err;
         break;
       case 'h': /* --retry-delay */
-        err = str2unum(&config->retry_delay, nextarg);
+        err = str2unummax(&config->retry_delay, nextarg, LONG_MAX/1000);
         if(err)
           return err;
         break;
       case 'i': /* --retry-max-time */
-        err = str2unum(&config->retry_maxtime, nextarg);
+        err = str2unummax(&config->retry_maxtime, nextarg, LONG_MAX/1000);
         if(err)
           return err;
         break;
Index: curl-7.37.0/src/tool_paramhlp.c
===================================================================
--- curl-7.37.0.orig/src/tool_paramhlp.c
+++ curl-7.37.0/src/tool_paramhlp.c
@@ -189,6 +189,28 @@ ParameterError str2unum(long *val, const
 }
 
 /*
+ * Parse the string and write the long in the given address if it is below the
+ * maximum allowed value. Return PARAM_OK on success, otherwise a parameter
+ * error enum. ONLY ACCEPTS POSITIVE NUMBERS!
+ *
+ * Since this function gets called with the 'nextarg' pointer from within the
+ * getparameter a lot, we must check it for NULL before accessing the str
+ * data.
+ */
+
+ParameterError str2unummax(long *val, const char *str, long max)
+{
+  ParameterError result = str2unum(val, str);
+  if(result != PARAM_OK)
+    return result;
+  if(*val > max)
+    return PARAM_BAD_NUMERIC;
+
+  return PARAM_OK;
+}
+
+
+/*
  * Parse the string and write the double in the given address. Return PARAM_OK
  * on success, otherwise a parameter specific error enum.
  *
Index: curl-7.37.0/src/tool_paramhlp.h
===================================================================
--- curl-7.37.0.orig/src/tool_paramhlp.h
+++ curl-7.37.0/src/tool_paramhlp.h
@@ -33,6 +33,7 @@ void cleanarg(char *str);
 
 ParameterError str2num(long *val, const char *str);
 ParameterError str2unum(long *val, const char *str);
+ParameterError str2unummax(long *val, const char *str, long max);
 ParameterError str2double(double *val, const char *str);
 ParameterError str2udouble(double *val, const char *str);
 
Index: curl-7.37.0/tests/data/test1269
===================================================================
--- /dev/null
+++ curl-7.37.0/tests/data/test1269
@@ -0,0 +1,34 @@
+<testcase>
+<info>
+<keywords>
+--retry-delay
+</keywords>
+</info>
+
+#
+# Server-side
+<reply>
+</reply>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+ <name>
+too large --retry-delay value
+ </name>
+ <command>
+--retry 3 --retry-delay 9223372036854776 http://%HOSTIP:%HTTPPORT/1269
+</command>
+</client>
+
+#
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+2
+</errorcode>
+</verify>
+</testcase>
Index: curl-7.37.0/tests/data/Makefile.am
===================================================================
--- curl-7.37.0.orig/tests/data/Makefile.am
+++ curl-7.37.0/tests/data/Makefile.am
@@ -110,6 +110,7 @@ test1216 test1217 test1218 test1219 \
 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
 test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
 test1236 test1237 test1238 test1239 test1240 \
+test1269 \
 test1289 \
 \
 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
Index: curl-7.37.0/tests/data/Makefile.in
===================================================================
--- curl-7.37.0.orig/tests/data/Makefile.in
+++ curl-7.37.0/tests/data/Makefile.in
@@ -418,6 +418,7 @@ test1216 test1217 test1218 test1219 \
 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
 test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
 test1236 test1237 test1238 test1239 test1240 \
+test1269 \
 test1289 \
 \
 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \

Places

File curl-CVE-2020-19909.patch of Package curl.30322

Places