romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-30 07:37:33 +03:00
Code Issues Projects Releases Packages Wiki Activity

krb5: return error properly on decode errors

Browse source 
Bug: https://curl.se/docs/CVE-2022-32208.html
CVE-2022-32208
Reported-by: Harry Sintonen
Closes #9051
This commit is contained in:
Daniel Stenberg 2022-06-09 09:27:24 +02:00
parent 2b67a0a112
commit 6ecdf5136b
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 11 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

18
lib/krb5.c
View file

@ -142,11 +142,8 @@ krb5_decode(void *app_data, void *buf, int len,
enc.value = buf;
enc.length = len;
maj = gss_unwrap(&min, *context, &enc, &dec, NULL, NULL);
if(maj != GSS_S_COMPLETE) {
if(len >= 4)
strcpy(buf, "599 ");
if(maj != GSS_S_COMPLETE)
return -1;
}
memcpy(buf, dec.value, dec.length);
len = curlx_uztosi(dec.length);
@ -508,6 +505,7 @@ static CURLcode read_data(struct connectdata *conn,
{
int len;
CURLcode result;
int nread;
result = socket_read(fd, &len, sizeof(len));
if(result)
@ -516,7 +514,10 @@ static CURLcode read_data(struct connectdata *conn,
if(len) {
/* only realloc if there was a length */
len = ntohl(len);
buf->data = Curl_saferealloc(buf->data, len);
if(len > CURL_MAX_INPUT_LENGTH)
len = 0;
else
buf->data = Curl_saferealloc(buf->data, len);
}
if(!len || !buf->data)
return CURLE_OUT_OF_MEMORY;
@ -524,8 +525,11 @@ static CURLcode read_data(struct connectdata *conn,
result = socket_read(fd, buf->data, len);
if(result)
return result;
buf->size = conn->mech->decode(conn->app_data, buf->data, len,
conn->data_prot, conn);
nread = conn->mech->decode(conn->app_data, buf->data, len,
conn->data_prot, conn);
if(nread < 0)
return CURLE_RECV_ERROR;
buf->size = (size_t)nread;
buf->index = 0;
return CURLE_OK;
}