File curl-CVE-2023-27534-dynbuf.patch of Package curl.30927

Overview Repositories Revisions Requests Users Attributes Meta

File curl-CVE-2023-27534-dynbuf.patch of Package curl.30927

From ed35d6590e72c23c568af1e3b8ac6e4e2d883888 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sat, 2 May 2020 17:04:08 +0200
Subject: [PATCH 3681/8000] dynbuf: introduce internal generic dynamic buffer
 functions

A common set of functions instead of many separate implementations for
creating buffers that can grow when appending data to them. Existing
functionality has been ported over.

In my early basic testing, the total number of allocations seem at
roughly the same amount as before, possibly a few less.

See docs/DYNBUF.md for a description of the API.

Closes #5300

Index: curl-7.66.0/docs/DYNBUF.md
===================================================================
--- /dev/null
+++ curl-7.66.0/docs/DYNBUF.md
@@ -0,0 +1,80 @@
+# dynbuf
+
+This is the internal module for creating and handling "dynamic buffers". This
+means buffers that can be appended to, dynamically and grow in size to adapt.
+
+There will always be a terminating zero put at the end of the dynamic buffer.
+
+The `struct dynbuf` is used to hold data for each instance of a dynamic
+buffer. The members of that struct **MUST NOT** be accessed or modified
+without using the dedicated dynbuf API.
+
+## init
+
+    void Curl_dyn_init(struct dynbuf *s, size_t toobig);
+
+This inits a struct to use for dynbuf and it can't fail. The `toobig` value
+**must** be set to the maximum size we allow this buffer instance to grow to.
+The functions below will return `CURLE_OUT_OF_MEMORY` when hitting this limit.
+
+## free
+
+    void Curl_dyn_free(struct dynbuf *s);
+
+Free the associated memory and clean up. After a free, the `dynbuf` struct can
+be re-used to start appending new data to.
+
+## addn
+
+    CURLcode Curl_dyn_addn(struct dynbuf *s, const void *mem, size_t len);
+
+Append arbitrary data of a given length to the end of the buffer.
+
+## add
+
+    CURLcode Curl_dyn_add(struct dynbuf *s, const char *str);
+
+Append a C string to the end of the buffer.
+
+## addf
+
+    CURLcode Curl_dyn_addf(struct dynbuf *s, const char *fmt, ...);
+
+Append a `printf()`-style string to the end of the buffer.
+
+## reset
+
+    void Curl_dyn_reset(struct dynbuf *s);
+
+Reset the buffer length, but leave the allocation.
+
+## tail
+
+    CURLcode Curl_dyn_trail(struct dynbuf *s, size_t length)
+
+Keep `length` bytes of the buffer tail (the last `length` bytes of the
+buffer). The rest of the buffer is dropped. The specified `length` must not be
+larger than the buffer length. (**This function is currently not provided**.)
+
+## ptr
+
+    char *Curl_dyn_ptr(const struct dynbuf *s);
+
+Returns a `char *` to the buffer if it has a length, otherwise a NULL. Since
+the buffer may be reallocated, this pointer should not be trusted or used
+anymore after the next buffer manipulation call.
+
+## uptr
+
+    unsigned char *Curl_dyn_uptr(const struct dynbuf *s);
+
+Returns an `unsigned char *` to the buffer if it has a length, otherwise a
+NULL. Since the buffer may be reallocated, this pointer should not be trusted
+or used anymore after the next buffer manipulation call.
+
+## len
+
+    size_t Curl_dyn_len(const struct dynbuf *s);
+
+Returns the length of the buffer in bytes. Does not include the terminating
+zero byte.
Index: curl-7.66.0/docs/Makefile.am
===================================================================
--- curl-7.66.0.orig/docs/Makefile.am
+++ curl-7.66.0/docs/Makefile.am
@@ -53,6 +53,7 @@ EXTRA_DIST =
  CODE_STYLE.md                                  \
  CONTRIBUTE.md                                  \
  DEPRECATE.md                                   \
+ DYNBUF.md                                      \
  EXPERIMENTAL.md                                \
  FAQ                                            \
  FEATURES                                       \
Index: curl-7.66.0/lib/Makefile.inc
===================================================================
--- curl-7.66.0.orig/lib/Makefile.inc
+++ curl-7.66.0/lib/Makefile.inc
@@ -61,7 +61,7 @@ LIB_CFILES = file.c timeval.c base64.c h
   curl_multibyte.c hostcheck.c conncache.c dotdot.c                     \
   x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c      \
   mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c  \
-  doh.c urlapi.c curl_get_line.c altsvc.c
+  doh.c urlapi.c curl_get_line.c altsvc.c dynbuf.c
 
 LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
   formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h         \
@@ -82,7 +82,7 @@ LIB_HFILES = arpa_telnet.h netrc.h file.
   x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h           \
   curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h     \
   curl_path.h curl_ctype.h curl_range.h psl.h doh.h urlapi-int.h        \
-  curl_get_line.h altsvc.h quic.h
+  curl_get_line.h altsvc.h quic.h dynbuf.h
 
 LIB_RCFILES = libcurl.rc
 
Index: curl-7.66.0/lib/dynbuf.c
===================================================================
--- /dev/null
+++ curl-7.66.0/lib/dynbuf.c
@@ -0,0 +1,229 @@
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+#include "curl_setup.h"
+#include "strdup.h"
+#include "dynbuf.h"
+
+/* The last 3 #include files should be in this order */
+#include "curl_printf.h"
+#include "curl_memory.h"
+#include "memdebug.h"
+
+#define MIN_FIRST_ALLOC 32
+
+#define DYNINIT 0xbee51da /* random pattern */
+
+/*
+ * Init a dynbuf struct.
+ */
+void Curl_dyn_init(struct dynbuf *s, size_t toobig)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(toobig);
+  s->bufr = NULL;
+  s->leng = 0;
+  s->allc = 0;
+  s->toobig = toobig;
+#ifdef DEBUGBUILD
+  s->init = DYNINIT;
+#endif
+}
+
+/*
+ * free the buffer and re-init the necessary fields. It doesn't touch the
+ * 'init' field and thus this buffer can be reused to add data to again.
+ */
+void Curl_dyn_free(struct dynbuf *s)
+{
+  DEBUGASSERT(s);
+  Curl_safefree(s->bufr);
+  s->leng = s->allc = 0;
+}
+
+/*
+ * Store/append an chunk of memory to the dynbuf.
+ */
+static CURLcode dyn_nappend(struct dynbuf *s,
+                            const unsigned char *mem, size_t len)
+{
+  size_t indx = s->leng;
+  size_t a = s->allc;
+  size_t fit = len + indx + 1; /* new string + old string + zero byte */
+
+  /* try to detect if there's rubbish in the struct */
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(s->toobig);
+  DEBUGASSERT(indx < s->toobig);
+  DEBUGASSERT(!s->leng || s->bufr);
+
+  if(fit > s->toobig) {
+    Curl_dyn_free(s);
+    return CURLE_OUT_OF_MEMORY;
+  }
+  else if(!a) {
+    DEBUGASSERT(!indx);
+    /* first invoke */
+    if(fit < MIN_FIRST_ALLOC)
+      a = MIN_FIRST_ALLOC;
+    else
+      a = fit;
+  }
+  else {
+    while(a < fit)
+      a *= 2;
+  }
+
+  if(a != s->allc) {
+    s->bufr = Curl_saferealloc(s->bufr, a);
+    if(!s->bufr) {
+      s->leng = s->allc = 0;
+      return CURLE_OUT_OF_MEMORY;
+    }
+    s->allc = a;
+  }
+
+  if(len)
+    memcpy(&s->bufr[indx], mem, len);
+  s->leng = indx + len;
+  s->bufr[s->leng] = 0;
+  return CURLE_OK;
+}
+
+/*
+ * Clears the string, keeps the allocation. This can also be called on a
+ * buffer that already was freed.
+ */
+void Curl_dyn_reset(struct dynbuf *s)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  if(s->leng)
+    s->bufr[0] = 0;
+  s->leng = 0;
+}
+
+#if 0
+/*
+ * Specify the size of the tail to keep (number of bytes from the end of the
+ * buffer). The rest will be dropped.
+ */
+CURLcode Curl_dyn_tail(struct dynbuf *s, size_t trail)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  if(trail > s->leng)
+    return CURLE_BAD_FUNCTION_ARGUMENT;
+  else if(trail == s->leng)
+    return CURLE_OK;
+  else if(!trail) {
+    Curl_dyn_reset(s);
+  }
+  else {
+    memmove(&s->bufr[0], &s->bufr[s->leng - trail], trail);
+    s->leng = trail;
+    s->bufr[s->leng] = 0;
+  }
+  return CURLE_OK;
+
+}
+
+#endif
+
+/*
+ * Appends a buffer with length.
+ */
+CURLcode Curl_dyn_addn(struct dynbuf *s, const void *mem, size_t len)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  return dyn_nappend(s, mem, len);
+}
+
+/*
+ * Append a zero terminated string at the end.
+ */
+CURLcode Curl_dyn_add(struct dynbuf *s, const char *str)
+{
+  size_t n = strlen(str);
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  return dyn_nappend(s, (unsigned char *)str, n);
+}
+
+/*
+ * Append a string printf()-style
+ */
+CURLcode Curl_dyn_addf(struct dynbuf *s, const char *fmt, ...)
+{
+  char *str;
+  va_list ap;
+  va_start(ap, fmt);
+  str = vaprintf(fmt, ap); /* this allocs a new string to append */
+  va_end(ap);
+
+  if(str) {
+    CURLcode result = dyn_nappend(s, (unsigned char *)str, strlen(str));
+    free(str);
+    return result;
+  }
+  /* If we failed, we cleanup the whole buffer and return error */
+  Curl_dyn_free(s);
+  return CURLE_OUT_OF_MEMORY;
+}
+
+/*
+ * Returns a pointer to the buffer.
+ */
+char *Curl_dyn_ptr(const struct dynbuf *s)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  return s->bufr;
+}
+
+/*
+ * Returns an unsigned pointer to the buffer.
+ */
+unsigned char *Curl_dyn_uptr(const struct dynbuf *s)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  return (unsigned char *)s->bufr;
+}
+
+/*
+ * Returns the length of the buffer.
+ */
+size_t Curl_dyn_len(const struct dynbuf *s)
+{
+  DEBUGASSERT(s);
+  DEBUGASSERT(s->init == DYNINIT);
+  DEBUGASSERT(!s->leng || s->bufr);
+  return s->leng;
+}
Index: curl-7.66.0/lib/dynbuf.h
===================================================================
--- /dev/null
+++ curl-7.66.0/lib/dynbuf.h
@@ -0,0 +1,61 @@
+#ifndef HEADER_CURL_DYNBUF_H
+#define HEADER_CURL_DYNBUF_H
+/***************************************************************************
+ *                                  _   _ ____  _
+ *  Project                     ___| | | |  _ \| |
+ *                             / __| | | | |_) | |
+ *                            | (__| |_| |  _ <| |___
+ *                             \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+
+struct dynbuf {
+  char *bufr;    /* point to a zero terminated allocated buffer */
+  size_t leng;   /* number of bytes *EXCLUDING* the zero terminator */
+  size_t allc;   /* size of the current allocation */
+  size_t toobig; /* size limit for the buffer */
+#ifdef DEBUGBUILD
+  int init;      /* detect API usage mistakes */
+#endif
+};
+
+void Curl_dyn_init(struct dynbuf *s, size_t toobig);
+void Curl_dyn_free(struct dynbuf *s);
+CURLcode Curl_dyn_addn(struct dynbuf *s, const void *mem, size_t len)
+  WARN_UNUSED_RESULT;
+CURLcode Curl_dyn_add(struct dynbuf *s, const char *str)
+  WARN_UNUSED_RESULT;
+CURLcode Curl_dyn_addf(struct dynbuf *s, const char *fmt, ...)
+  WARN_UNUSED_RESULT;
+void Curl_dyn_reset(struct dynbuf *s);
+CURLcode Curl_dyn_tail(struct dynbuf *s, size_t trail);
+char *Curl_dyn_ptr(const struct dynbuf *s);
+unsigned char *Curl_dyn_uptr(const struct dynbuf *s);
+size_t Curl_dyn_len(const struct dynbuf *s);
+
+/* Dynamic buffer max sizes */
+#define DYN_DOH_RESPONSE    3000
+#define DYN_DOH_CNAME       256
+#define DYN_PAUSE_BUFFER    (64 * 1024 * 1024)
+#define DYN_HAXPROXY        2048
+#define DYN_HTTP_REQUEST    (1024*1024)
+#define DYN_H2_HEADERS      (128*1024)
+#define DYN_H2_TRAILERS     (128*1024)
+#define DYN_APRINTF         8000000
+#define DYN_RTSP_REQ_HEADER (64*1024)
+#define DYN_TRAILERS        (64*1024)
+
+#endif
Index: curl-7.66.0/lib/curl_path.c
===================================================================
--- curl-7.66.0.orig/lib/curl_path.c
+++ curl-7.66.0/lib/curl_path.c
@@ -29,6 +29,7 @@
 #include "curl_path.h"
 #include "escape.h"
 #include "memdebug.h"
+#include "dynbuf.h"
 
 #define MAX_SSHPATH_LEN 100000 /* arbitrary */

Places

File curl-CVE-2023-27534-dynbuf.patch of Package curl.30927

Places