diff options
author | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2022-12-02 20:53:31 +0300 |
---|---|---|
committer | P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com> | 2022-12-02 21:09:30 +0300 |
commit | 7dd3ed26ca09df0e582be8cc2780bba588bdd11e (patch) | |
tree | ee5b64acbe5374240089bc65c9443dd29df482f8 /meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch | |
parent | e0c224c79550bf49928bfb75f629233b1ef07c7a (diff) | |
download | openbmc-7dd3ed26ca09df0e582be8cc2780bba588bdd11e.tar.xz |
Update to internal 1-0.92
Signed-off-by: P Dheeraj Srujan Kumar <p.dheeraj.srujan.kumar@intel.com>
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch new file mode 100644 index 000000000..be9f52d86 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32208-krb5-return-error-properly-on-decode-errors.patch @@ -0,0 +1,64 @@ +From 6ecdf5136b52af747e7bda08db9a748256b1cd09 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 9 Jun 2022 09:27:24 +0200 +Subject: [PATCH] krb5: return error properly on decode errors + +Bug: https://curl.se/docs/CVE-2022-32208.html +CVE-2022-32208 +Reported-by: Harry Sintonen +Closes #9051 +--- + lib/krb5.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +diff --git a/lib/krb5.c b/lib/krb5.c +index e289595c9e1dd..517491c4658bf 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -142,11 +142,8 @@ krb5_decode(void *app_data, void *buf, int len, + enc.value = buf; + enc.length = len; + maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL); +- if(maj != GSS_S_COMPLETE) { +- if(len >= 4) +- strcpy(buf, "599 "); ++ if(maj != GSS_S_COMPLETE) + return -1; +- } + + memcpy(buf, dec.value, dec.length); + len = curlx_uztosi(dec.length); +@@ -508,6 +505,7 @@ static CURLcode read_data(struct connectdata *conn, + { + int len; + CURLcode result; ++ int nread; + + result = socket_read(fd, &len, sizeof(len)); + if(result) +@@ -516,7 +514,10 @@ static CURLcode read_data(struct connectdata *conn, + if(len) { + /* only realloc if there was a length */ + len = ntohl(len); +- buf->data = Curl_saferealloc(buf->data, len); ++ if(len > CURL_MAX_INPUT_LENGTH) ++ len = 0; ++ else ++ buf->data = Curl_saferealloc(buf->data, len); + } + if(!len || !buf->data) + return CURLE_OUT_OF_MEMORY; +@@ -524,8 +525,11 @@ static CURLcode read_data(struct connectdata *conn, + result = socket_read(fd, buf->data, len); + if(result) + return result; +- buf->size = conn->mech->decode(conn->app_data, buf->data, len, +- conn->data_prot, conn); ++ nread = conn->mech->decode(conn->app_data, buf->data, len, ++ conn->data_prot, conn); ++ if(nread < 0) ++ return CURLE_RECV_ERROR; ++ buf->size = (size_t)nread; + buf->index = 0; + return CURLE_OK; + } |