diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch | 171 |
1 files changed, 0 insertions, 171 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch b/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch deleted file mode 100644 index dc7b59f7f..000000000 --- a/meta-openbmc-mods/meta-common/recipes-support/curl/curl/CVE-2022-32205-cookie-apply-limits.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 48d7064a49148f03942380967da739dcde1cdc24 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Sun, 26 Jun 2022 11:00:48 +0200 -Subject: [PATCH] cookie: apply limits - -- Send no more than 150 cookies per request -- Cap the max length used for a cookie: header to 8K -- Cap the max number of received Set-Cookie: headers to 50 - -Bug: https://curl.se/docs/CVE-2022-32205.html -CVE-2022-32205 -Reported-by: Harry Sintonen -Closes #9048 ---- - lib/cookie.c | 14 ++++++++++++-- - lib/cookie.h | 21 +++++++++++++++++++-- - lib/http.c | 13 +++++++++++-- - lib/urldata.h | 1 + - 4 files changed, 43 insertions(+), 6 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index a308346a777bc..a1ab89532033b 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -482,6 +482,10 @@ Curl_cookie_add(struct Curl_easy *data, - (void)data; - #endif - -+ DEBUGASSERT(MAX_SET_COOKIE_AMOUNT <= 255); /* counter is an unsigned char */ -+ if(data->req.setcookies >= MAX_SET_COOKIE_AMOUNT) -+ return NULL; -+ - /* First, alloc and init a new struct for it */ - co = calloc(1, sizeof(struct Cookie)); - if(!co) -@@ -821,7 +825,7 @@ Curl_cookie_add(struct Curl_easy *data, - freecookie(co); - return NULL; - } -- -+ data->req.setcookies++; - } - else { - /* -@@ -1375,7 +1379,8 @@ static struct Cookie *dup_cookie(struct Cookie *src) - * - * It shall only return cookies that haven't expired. - */ --struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, -+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, -+ struct CookieInfo *c, - const char *host, const char *path, - bool secure) - { -@@ -1430,6 +1435,11 @@ struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, - mainco = newco; - - matches++; -+ if(matches >= MAX_COOKIE_SEND_AMOUNT) { -+ infof(data, "Included max number of cookies (%u) in request!", -+ matches); -+ break; -+ } - } - else - goto fail; -diff --git a/lib/cookie.h b/lib/cookie.h -index 453dfced8a342..abc0a2e8a01ad 100644 ---- a/lib/cookie.h -+++ b/lib/cookie.h -@@ -83,10 +83,26 @@ struct CookieInfo { - */ - #define MAX_COOKIE_LINE 5000 - --/* This is the maximum length of a cookie name or content we deal with: */ -+/* Maximum length of an incoming cookie name or content we deal with. Longer -+ cookies are ignored. */ - #define MAX_NAME 4096 - #define MAX_NAME_TXT "4095" - -+/* Maximum size for an outgoing cookie line libcurl will use in an http -+ request. This is the default maximum length used in some versions of Apache -+ httpd. */ -+#define MAX_COOKIE_HEADER_LEN 8190 -+ -+/* Maximum number of cookies libcurl will send in a single request, even if -+ there might be more cookies that match. One reason to cap the number is to -+ keep the maximum HTTP request within the maximum allowed size. */ -+#define MAX_COOKIE_SEND_AMOUNT 150 -+ -+/* Maximum number of Set-Cookie: lines accepted in a single response. If more -+ such header lines are received, they are ignored. This value must be less -+ than 256 since an unsigned char is used to count. */ -+#define MAX_SET_COOKIE_AMOUNT 50 -+ - struct Curl_easy; - /* - * Add a cookie to the internal list of cookies. The domain and path arguments -@@ -99,7 +115,8 @@ struct Cookie *Curl_cookie_add(struct Curl_easy *data, - const char *domain, const char *path, - bool secure); - --struct Cookie *Curl_cookie_getlist(struct CookieInfo *c, const char *host, -+struct Cookie *Curl_cookie_getlist(struct Curl_easy *data, -+ struct CookieInfo *c, const char *host, - const char *path, bool secure); - void Curl_cookie_freelist(struct Cookie *cookies); - void Curl_cookie_clearall(struct CookieInfo *cookies); -diff --git a/lib/http.c b/lib/http.c -index 5284475ba92c4..258722a602e40 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -2711,12 +2711,14 @@ CURLcode Curl_http_bodysend(struct Curl_easy *data, struct connectdata *conn, - } - - #if !defined(CURL_DISABLE_COOKIES) -+ - CURLcode Curl_http_cookies(struct Curl_easy *data, - struct connectdata *conn, - struct dynbuf *r) - { - CURLcode result = CURLE_OK; - char *addcookies = NULL; -+ bool linecap = FALSE; - if(data->set.str[STRING_COOKIE] && - !Curl_checkheaders(data, STRCONST("Cookie"))) - addcookies = data->set.str[STRING_COOKIE]; -@@ -2734,7 +2736,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - !strcmp(host, "127.0.0.1") || - !strcmp(host, "[::1]") ? TRUE : FALSE; - Curl_share_lock(data, CURL_LOCK_DATA_COOKIE, CURL_LOCK_ACCESS_SINGLE); -- co = Curl_cookie_getlist(data->cookies, host, data->state.up.path, -+ co = Curl_cookie_getlist(data, data->cookies, host, data->state.up.path, - secure_context); - Curl_share_unlock(data, CURL_LOCK_DATA_COOKIE); - } -@@ -2748,6 +2750,13 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - if(result) - break; - } -+ if((Curl_dyn_len(r) + strlen(co->name) + strlen(co->value) + 1) >= -+ MAX_COOKIE_HEADER_LEN) { -+ infof(data, "Restricted outgoing cookies due to header size, " -+ "'%s' not sent", co->name); -+ linecap = TRUE; -+ break; -+ } - result = Curl_dyn_addf(r, "%s%s=%s", count?"; ":"", - co->name, co->value); - if(result) -@@ -2758,7 +2767,7 @@ CURLcode Curl_http_cookies(struct Curl_easy *data, - } - Curl_cookie_freelist(store); - } -- if(addcookies && !result) { -+ if(addcookies && !result && !linecap) { - if(!count) - result = Curl_dyn_addn(r, STRCONST("Cookie: ")); - if(!result) { -diff --git a/lib/urldata.h b/lib/urldata.h -index 17fe25720be33..bcb4d460c2fe6 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -698,6 +698,7 @@ struct SingleRequest { - #ifndef CURL_DISABLE_DOH - struct dohdata *doh; /* DoH specific data for this request */ - #endif -+ unsigned char setcookies; - BIT(header); /* incoming data has HTTP header */ - BIT(content_range); /* set TRUE if Content-Range: was found */ - BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding |