[GNUnet-SVN] [gnurl] 67/73: ftp: reject illegal IP/port in PASV 227 resp

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [gnurl] 67/73: ftp: reject illegal IP/port in PASV 227 resp

From:	gnunet
Subject:	[GNUnet-SVN] [gnurl] 67/73: ftp: reject illegal IP/port in PASV 227 response
Date:	Tue, 24 Oct 2017 18:54:48 +0200

This is an automated email from the git hooks/post-receive script.

ng0 pushed a commit to branch master
in repository gnurl.

commit 769647e714b8da41bdb72720bf02dce56033e02e
Author: Daniel Stenberg <address@hidden>
AuthorDate: Thu Oct 19 14:41:14 2017 +0200

    ftp: reject illegal IP/port in PASV 227 response
    
    ... by using range checks. Among other things, this avoids an undefined
    behavior for a left shift that could happen on negative or very large
    values.
    
    Closes #1997
    
    Detected by OSS-fuzz: 
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
---
 lib/ftp.c          | 9 +++++----
 tests/data/test237 | 8 ++------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/lib/ftp.c b/lib/ftp.c
index 0c9df7890..edcfd5f80 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -1874,8 +1874,8 @@ static CURLcode ftp_state_pasv_resp(struct connectdata 
*conn,
   else if((ftpc->count1 == 1) &&
           (ftpcode == 227)) {
     /* positive PASV response */
-    int ip[4];
-    int port[2];
+    unsigned int ip[4];
+    unsigned int port[2];
 
     /*
      * Scan for a sequence of six comma-separated numbers and use them as
@@ -1887,14 +1887,15 @@ static CURLcode ftp_state_pasv_resp(struct connectdata 
*conn,
      * "227 Entering passive mode. 127,0,0,1,4,51"
      */
     while(*str) {
-      if(6 == sscanf(str, "%d,%d,%d,%d,%d,%d",
+      if(6 == sscanf(str, "%u,%u,%u,%u,%u,%u",
                      &ip[0], &ip[1], &ip[2], &ip[3],
                      &port[0], &port[1]))
         break;
       str++;
     }
 
-    if(!*str) {
+    if(!*str || (ip[0] > 255) || (ip[1] > 255)  || (ip[2] > 255)  ||
+       (ip[3] > 255) || (port[0] > 255)  || (port[1] > 255) ) {
       failf(data, "Couldn't interpret the 227-response");
       return CURLE_FTP_WEIRD_227_FORMAT;
     }
diff --git a/tests/data/test237 b/tests/data/test237
index 9a40f1f6b..e9147dcd1 100644
--- a/tests/data/test237
+++ b/tests/data/test237
@@ -30,13 +30,9 @@ ftp://%HOSTIP:%FTPPORT/237 --disable-epsv
 # certain hosts with buggy resolver code, the resulting address (192.0.2.127)
 # is from an address block that is guaranteed never to be assigned (RFC3330).
 <verify>
-# curl: (15) Can't resolve new host 1216.256.2.127:32639
-# 15 => CURLE_FTP_CANT_GET_HOST
-# some systems just don't fail on the illegal host name/address but instead
-# moves on and attempt to connect to... yes, to what?
-# 7= CURLE_COULDNT_CONNECT
+# 14 = CURLE_FTP_WEIRD_227_FORMAT
 <errorcode>
-15, 7
+14
 </errorcode>
 <protocol>
 USER anonymous

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [gnurl] 24/73: mime: avoid resetting a part's encoder when part's contents change., (continued)
- [GNUnet-SVN] [gnurl] 24/73: mime: avoid resetting a part's encoder when part's contents change., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 48/73: mime: fix the content reader to handle >16K data properly, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 43/73: HELP-US: the label "PR-welcome" is now renamed to "help wanted", gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 22/73: RELEASE-NOTES: synced with a4c1c75da30af1, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 39/73: test950; verify SMTP with custom request, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 30/73: curl: don't pass semicolons when parsing Content-Disposition, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 42/73: RELEASE-NOTES: synced with 5505df7d2, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 44/73: winbuild/BUILD.WINDOWS.txt: mention WITH_NGHTTP2, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 15/73: pingpong: return error when trying to send without connection, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 45/73: cli tool: reimplement stdin buffering in -F option., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 67/73: ftp: reject illegal IP/port in PASV 227 response, gnunet <=
- [GNUnet-SVN] [gnurl] 54/73: ldap: silence clang warning, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 51/73: configure: remove the C++ compiler check, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 47/73: mime: keep "text/plain" content type if user-specified., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 56/73: setopt: avoid integer overflows when setting millsecond values, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 52/73: memdebug: trace send, recv and socket, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 64/73: test308: disable if MultiSSL feature enabled, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 71/73: THANKS: update at 7.56.1 release time, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 68/73: imap: if a FETCH response has no size, don't call write callback, gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 61/73: os400: add missing symbols in config file., gnunet, 2017/10/24
- [GNUnet-SVN] [gnurl] 17/73: remove_handle: call multi_done() first, then clear dns cache pointer, gnunet, 2017/10/24

Prev by Date: [GNUnet-SVN] [gnurl] 45/73: cli tool: reimplement stdin buffering in -F option.
Next by Date: [GNUnet-SVN] [gnurl] 54/73: ldap: silence clang warning
Previous by thread: [GNUnet-SVN] [gnurl] 45/73: cli tool: reimplement stdin buffering in -F option.
Next by thread: [GNUnet-SVN] [gnurl] 54/73: ldap: silence clang warning
Index(es):
- Date
- Thread