1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
From 5fc28510a4664f46459d9a40187d81cc08571e60 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 29 Apr 2019 08:00:49 +0200
Subject: [PATCH] CURL_MAX_INPUT_LENGTH: largest acceptable string input size
This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().
The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.
NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
Test 1559 verifies.
Closes #3805
Upstream-Status: Backport
Dropped a few changes to apply against this version
https://github.com/curl/curl/commit/5fc28510a4664f4
CVE: CVE-2019-5435
affects: libcurl 7.19.4 to and including 7.64.1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
lib/setopt.c | 7 +++++
lib/urldata.h | 4 +++
7 files changed, 146 insertions(+), 3 deletions(-)
create mode 100644 tests/data/test1559
create mode 100644 tests/libtest/lib1559.c
Index: curl-7.61.0/lib/setopt.c
===================================================================
--- curl-7.61.0.orig/lib/setopt.c
+++ curl-7.61.0/lib/setopt.c
@@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, co
if(s) {
char *str = strdup(s);
+ if(str) {
+ size_t len = strlen(str);
+ if(len > CURL_MAX_INPUT_LENGTH) {
+ free(str);
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ }
if(!str)
return CURLE_OUT_OF_MEMORY;
Index: curl-7.61.0/lib/urldata.h
===================================================================
--- curl-7.61.0.orig/lib/urldata.h
+++ curl-7.61.0/lib/urldata.h
@@ -79,6 +79,10 @@
*/
#define RESP_TIMEOUT (1800*1000)
+/* Max string intput length is a precaution against abuse and to detect junk
+ input easier and better. */
+#define CURL_MAX_INPUT_LENGTH 8000000
+
#include "cookie.h"
#include "psl.h"
#include "formdata.h"
Index: curl-7.61.0/tests/data/test1559
===================================================================
--- /dev/null
+++ curl-7.61.0/tests/data/test1559
@@ -0,0 +1,44 @@
+<testcase>
+<info>
+<keywords>
+CURLOPT_URL
+</keywords>
+</info>
+
+<reply>
+</reply>
+
+<client>
+<server>
+none
+</server>
+
+# require HTTP so that CURLOPT_POSTFIELDS works as assumed
+<features>
+http
+</features>
+<tool>
+lib1559
+</tool>
+
+<name>
+Set excessive URL lengths
+</name>
+</client>
+
+#
+# Verify that the test runs to completion without crashing
+<verify>
+<errorcode>
+0
+</errorcode>
+<stdout>
+CURLOPT_URL 10000000 bytes URL == 43
+CURLOPT_POSTFIELDS 10000000 bytes data == 0
+CURLUPART_URL 10000000 bytes URL == 3
+CURLUPART_SCHEME 10000000 bytes scheme == 3
+CURLUPART_USER 10000000 bytes user == 3
+</stdout>
+</verify>
+
+</testcase>
Index: curl-7.61.0/tests/libtest/lib1559.c
===================================================================
--- /dev/null
+++ curl-7.61.0/tests/libtest/lib1559.c
@@ -0,0 +1,78 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include "test.h"
+
+#include "testutil.h"
+#include "warnless.h"
+#include "memdebug.h"
+
+#define EXCESSIVE 10*1000*1000
+int test(char *URL)
+{
+ CURLcode res = 0;
+ CURL *curl = NULL;
+ char *longurl = malloc(EXCESSIVE);
+ CURLU *u;
+ (void)URL;
+
+ memset(longurl, 'a', EXCESSIVE);
+ longurl[EXCESSIVE-1] = 0;
+
+ global_init(CURL_GLOBAL_ALL);
+ easy_init(curl);
+
+ res = curl_easy_setopt(curl, CURLOPT_URL, longurl);
+ printf("CURLOPT_URL %d bytes URL == %d\n",
+ EXCESSIVE, (int)res);
+
+ res = curl_easy_setopt(curl, CURLOPT_POSTFIELDS, longurl);
+ printf("CURLOPT_POSTFIELDS %d bytes data == %d\n",
+ EXCESSIVE, (int)res);
+
+ u = curl_url();
+ if(u) {
+ CURLUcode uc = curl_url_set(u, CURLUPART_URL, longurl, 0);
+ printf("CURLUPART_URL %d bytes URL == %d\n",
+ EXCESSIVE, (int)uc);
+ uc = curl_url_set(u, CURLUPART_SCHEME, longurl, CURLU_NON_SUPPORT_SCHEME);
+ printf("CURLUPART_SCHEME %d bytes scheme == %d\n",
+ EXCESSIVE, (int)uc);
+ uc = curl_url_set(u, CURLUPART_USER, longurl, 0);
+ printf("CURLUPART_USER %d bytes user == %d\n",
+ EXCESSIVE, (int)uc);
+ curl_url_cleanup(u);
+ }
+
+ free(longurl);
+
+ curl_easy_cleanup(curl);
+ curl_global_cleanup();
+
+ return 0;
+
+test_cleanup:
+
+ curl_easy_cleanup(curl);
+ curl_global_cleanup();
+
+ return res; /* return the final return code */
+}
|
