pingpong: reject nul byte in server response line

Add test 2108 covering the rejection over FTP. Drop the now-vestigial nul bytes from test 1282; they exercised the removed Kerberos FTP security buffer check and now trip this rejection before the 633 login-denied path is reached. Closes #21996
2026-06-21 03:55:39 +03:00 · 2026-06-13 13:34:51 +05:30 · 2026-06-13 13:34:51 +05:30 · 2f8fb98c5f
commit 2f8fb98c5f
parent a7e35c9194
4 changed files with 50 additions and 1 deletions
--- a/lib/pingpong.c
+++ b/lib/pingpong.c
@ -292,6 +292,13 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data,
           the line is not really terminated until the LF comes */
        size_t length = nl - line + 1;

+        if(memchr(line, 0, length)) {
+          /* The response line is passed on as a "header" below, so reject an
+             embedded nul the same way verify_header() does for HTTP. */
+          failf(data, "Nul byte in server response line");
+          return CURLE_WEIRD_SERVER_REPLY;
+        }
+
        /* output debug output if that is requested */
        Curl_debug(data, CURLINFO_HEADER_IN, line, length);

--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@ -254,6 +254,7 @@ test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \
 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \
 test2088 test2089 test2090 test2091 test2092 \
 test2100 test2101 test2102 test2103 test2104 test2105 test2106 test2107 \
+test2108 \
 \
 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
 test2208 \
--- a/tests/data/test1282
+++ b/tests/data/test1282
@ -10,7 +10,7 @@ RETR
 # Server-side
 <reply>
 <servercmd>
-REPLY PASS 633 XXXXXXXX\x00\x00XXXXXXXX
+REPLY PASS 633 XXXXXXXXXXXXXXXX
 </servercmd>
 </reply>

--- a/tests/data/test2108
+++ b/tests/data/test2108
@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+# Server-side
+<reply>
+<servercmd>
+REPLY PASS 230 logged\x00 in
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<name>
+FTP rejects a nul byte in a server response line
+</name>
+<command>
+ftp://%HOSTIP:%FTPPORT/%TESTNUMBER
+</command>
+
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+USER anonymous
+PASS ftp@example.com
+</protocol>
+
+# 8 == CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+</verify>
+</testcase>