You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
148 lines
5.3 KiB
148 lines
5.3 KiB
From 85d1103c2fc0c9b1bdfae470dbafd45758e1c2f0 Mon Sep 17 00:00:00 2001 |
|
From: Patrick Monnerat <patrick@monnerat.net> |
|
Date: Mon, 25 Apr 2022 11:44:05 +0200 |
|
Subject: [PATCH] url: check sasl additional parameters for connection reuse. |
|
|
|
Also move static function safecmp() as non-static Curl_safecmp() since |
|
its purpose is needed at several places. |
|
|
|
Bug: https://curl.se/docs/CVE-2022-22576.html |
|
|
|
CVE-2022-22576 |
|
|
|
Closes #8746 |
|
|
|
Upstream-commit: 852aa5ad351ea53e5f01d2f44b5b4370c2bf5425 |
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com> |
|
--- |
|
lib/strcase.c | 10 ++++++++++ |
|
lib/strcase.h | 2 ++ |
|
lib/url.c | 13 ++++++++++++- |
|
lib/urldata.h | 1 + |
|
lib/vtls/vtls.c | 21 ++++++--------------- |
|
5 files changed, 31 insertions(+), 16 deletions(-) |
|
|
|
diff --git a/lib/strcase.c b/lib/strcase.c |
|
index dd46ca1..692a3f1 100644 |
|
--- a/lib/strcase.c |
|
+++ b/lib/strcase.c |
|
@@ -251,6 +251,16 @@ void Curl_strntolower(char *dest, const char *src, size_t n) |
|
} while(*src++ && --n); |
|
} |
|
|
|
+/* Compare case-sensitive NUL-terminated strings, taking care of possible |
|
+ * null pointers. Return true if arguments match. |
|
+ */ |
|
+bool Curl_safecmp(char *a, char *b) |
|
+{ |
|
+ if(a && b) |
|
+ return !strcmp(a, b); |
|
+ return !a && !b; |
|
+} |
|
+ |
|
/* --- public functions --- */ |
|
|
|
int curl_strequal(const char *first, const char *second) |
|
diff --git a/lib/strcase.h b/lib/strcase.h |
|
index b628656..382b80a 100644 |
|
--- a/lib/strcase.h |
|
+++ b/lib/strcase.h |
|
@@ -48,4 +48,6 @@ char Curl_raw_toupper(char in); |
|
void Curl_strntoupper(char *dest, const char *src, size_t n); |
|
void Curl_strntolower(char *dest, const char *src, size_t n); |
|
|
|
+bool Curl_safecmp(char *a, char *b); |
|
+ |
|
#endif /* HEADER_CURL_STRCASE_H */ |
|
diff --git a/lib/url.c b/lib/url.c |
|
index adef2cd..94e3406 100644 |
|
--- a/lib/url.c |
|
+++ b/lib/url.c |
|
@@ -768,6 +768,7 @@ static void conn_free(struct connectdata *conn) |
|
Curl_safefree(conn->passwd); |
|
Curl_safefree(conn->sasl_authzid); |
|
Curl_safefree(conn->options); |
|
+ Curl_safefree(conn->oauth_bearer); |
|
Curl_dyn_free(&conn->trailer); |
|
Curl_safefree(conn->host.rawalloc); /* host name buffer */ |
|
Curl_safefree(conn->conn_to_host.rawalloc); /* host name buffer */ |
|
@@ -1310,7 +1311,9 @@ ConnectionExists(struct Curl_easy *data, |
|
/* This protocol requires credentials per connection, |
|
so verify that we're using the same name and password as well */ |
|
if(strcmp(needle->user, check->user) || |
|
- strcmp(needle->passwd, check->passwd)) { |
|
+ strcmp(needle->passwd, check->passwd) || |
|
+ !Curl_safecmp(needle->sasl_authzid, check->sasl_authzid) || |
|
+ !Curl_safecmp(needle->oauth_bearer, check->oauth_bearer)) { |
|
/* one of them was different */ |
|
continue; |
|
} |
|
@@ -3554,6 +3557,14 @@ static CURLcode create_conn(struct Curl_easy *data, |
|
} |
|
} |
|
|
|
+ if(data->set.str[STRING_BEARER]) { |
|
+ conn->oauth_bearer = strdup(data->set.str[STRING_BEARER]); |
|
+ if(!conn->oauth_bearer) { |
|
+ result = CURLE_OUT_OF_MEMORY; |
|
+ goto out; |
|
+ } |
|
+ } |
|
+ |
|
#ifdef USE_UNIX_SOCKETS |
|
if(data->set.str[STRING_UNIX_SOCKET_PATH]) { |
|
conn->unix_domain_socket = strdup(data->set.str[STRING_UNIX_SOCKET_PATH]); |
|
diff --git a/lib/urldata.h b/lib/urldata.h |
|
index cc8a600..03da59a 100644 |
|
--- a/lib/urldata.h |
|
+++ b/lib/urldata.h |
|
@@ -991,6 +991,7 @@ struct connectdata { |
|
char *passwd; /* password string, allocated */ |
|
char *options; /* options string, allocated */ |
|
char *sasl_authzid; /* authorisation identity string, allocated */ |
|
+ char *oauth_bearer; /* OAUTH2 bearer, allocated */ |
|
unsigned char httpversion; /* the HTTP version*10 reported by the server */ |
|
struct curltime now; /* "current" time */ |
|
struct curltime created; /* creation time */ |
|
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c |
|
index 03b85ba..a40ac06 100644 |
|
--- a/lib/vtls/vtls.c |
|
+++ b/lib/vtls/vtls.c |
|
@@ -125,15 +125,6 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) |
|
return !memcmp(first->data, second->data, first->len); /* same data */ |
|
} |
|
|
|
-static bool safecmp(char *a, char *b) |
|
-{ |
|
- if(a && b) |
|
- return !strcmp(a, b); |
|
- else if(!a && !b) |
|
- return TRUE; /* match */ |
|
- return FALSE; /* no match */ |
|
-} |
|
- |
|
|
|
bool |
|
Curl_ssl_config_matches(struct ssl_primary_config *data, |
|
@@ -146,12 +137,12 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, |
|
(data->verifystatus == needle->verifystatus) && |
|
blobcmp(data->cert_blob, needle->cert_blob) && |
|
blobcmp(data->issuercert_blob, needle->issuercert_blob) && |
|
- safecmp(data->CApath, needle->CApath) && |
|
- safecmp(data->CAfile, needle->CAfile) && |
|
- safecmp(data->issuercert, needle->issuercert) && |
|
- safecmp(data->clientcert, needle->clientcert) && |
|
- safecmp(data->random_file, needle->random_file) && |
|
- safecmp(data->egdsocket, needle->egdsocket) && |
|
+ Curl_safecmp(data->CApath, needle->CApath) && |
|
+ Curl_safecmp(data->CAfile, needle->CAfile) && |
|
+ Curl_safecmp(data->issuercert, needle->issuercert) && |
|
+ Curl_safecmp(data->clientcert, needle->clientcert) && |
|
+ Curl_safecmp(data->random_file, needle->random_file) && |
|
+ Curl_safecmp(data->egdsocket, needle->egdsocket) && |
|
Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && |
|
Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && |
|
Curl_safe_strcasecompare(data->curves, needle->curves) && |
|
-- |
|
2.34.1 |
|
|
|
|