Unverified Commit 5ff2c5ff authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

FTP: zero terminate the entry path even on bad input 

... a single double quote could leave the entry path buffer without a zero
terminating byte. CVE-2017-1000254

Test 1152 added to verify.

Reported-by: Max Dymond
Bug: https://curl.haxx.se/docs/adv_20171004.html
parent 440dbcb0

lib/ftp.c

+5 −2
Original line number Diff line number Diff line
@@ -2779,6 +2779,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) 
        const size_t buf_size = data->set.buffer_size;

        char *dir;

        char *store;

        bool entry_extracted = FALSE;



        dir = malloc(nread + 1);

        if(!dir)
@@ -2810,7 +2811,7 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) 
              }

              else {

                /* end of path */

                *store = '\0'; /* zero terminate */

                entry_extracted = TRUE;

                break; /* get out of this loop */

              }

            }
@@ -2819,7 +2820,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) 
            store++;

            ptr++;

          }



          *store = '\0'; /* zero terminate */

        }

        if(entry_extracted) {

          /* If the path name does not look like an absolute path (i.e.: it

             does not start with a '/'), we probably need some server-dependent

             adjustments. For example, this is the case when connecting to

tests/data/Makefile.inc

+1 −0
Original line number Diff line number Diff line
@@ -122,6 +122,7 @@ test1120 test1121 test1122 test1123 test1124 test1125 test1126 test1127 \ 
test1128 test1129 test1130 test1131 test1132 test1133 test1134 test1135 \

test1136 test1137 test1138 test1139 test1140 test1141 test1142 test1143 \

test1144 test1145 test1146 test1147 test1148 test1149 test1150 test1151 \

test1152 \

\

test1160 test1161 \

test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \

tests/data/test1152

0 → 100644
+61 −0
Original line number Diff line number Diff line 
<testcase>

<info>

<keywords>

FTP

PASV

LIST

</keywords>

</info>

#

# Server-side

<reply>

<servercmd>

REPLY PWD 257 "just one

</servercmd>



# When doing LIST, we get the default list output hard-coded in the test

# FTP server

<data mode="text">

total 20

drwxr-xr-x   8 98       98           512 Oct 22 13:06 .

drwxr-xr-x   8 98       98           512 Oct 22 13:06 ..

drwxr-xr-x   2 98       98           512 May  2  1996 curl-releases

-r--r--r--   1 0        1             35 Jul 16  1996 README

lrwxrwxrwx   1 0        1              7 Dec  9  1999 bin -> usr/bin

dr-xr-xr-x   2 0        1            512 Oct  1  1997 dev

drwxrwxrwx   2 98       98           512 May 29 16:04 download.html

dr-xr-xr-x   2 0        1            512 Nov 30  1995 etc

drwxrwxrwx   2 98       1            512 Oct 30 14:33 pub

dr-xr-xr-x   5 0        1            512 Oct  1  1997 usr

</data>

</reply>



#

# Client-side

<client>

<server>

ftp

</server>

 <name>

FTP with uneven quote in PWD response

 </name>

 <command>

ftp://%HOSTIP:%FTPPORT/test-1152/

</command>

</client>



#

# Verify data after the test has been "shot"

<verify>

<protocol>

USER anonymous

PASS ftp@example.com

PWD

CWD test-1152

EPSV

TYPE A

LIST

QUIT

</protocol>

</verify>

</testcase>