1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00

glob: do not continue parsing after a strtoul() overflow range

Added test 1289 to verify.

CVE-2017-1000101

Bug: https://curl.haxx.se/docs/adv_20170809A.html
Reported-by: Brian Carpenter
This commit is contained in:
Daniel Stenberg 2017-08-01 17:16:07 +02:00
parent 358b2b131a
commit 453e7a7a03
3 changed files with 40 additions and 2 deletions

View File

@ -273,7 +273,10 @@ static CURLcode glob_range(URLGlob *glob, char **patternp,
}
errno = 0;
max_n = strtoul(pattern, &endp, 10);
if(errno || (*endp == ':')) {
if(errno)
/* overflow */
endp = NULL;
else if(*endp == ':') {
pattern = endp+1;
errno = 0;
step_n = strtoul(pattern, &endp, 10);

View File

@ -132,7 +132,7 @@ test1252 test1253 test1254 test1255 test1256 test1257 test1258 test1259 \
test1260 test1261 test1262 \
\
test1280 test1281 test1282 test1283 test1284 test1285 test1286 test1287 \
test1288 \
test1288 test1289 \
test1298 test1299 \
test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \

35
tests/data/test1289 Normal file
View File

@ -0,0 +1,35 @@
<testcase>
<info>
<keywords>
HTTP
HTTP GET
globbing
</keywords>
</info>
#
# Server-side
<reply>
</reply>
# Client-side
<client>
<server>
http
</server>
<name>
globbing with overflow and bad syntxx
</name>
<command>
http://ur%20[0-60000000000000000000
</command>
</client>
# Verify data after the test has been "shot"
<verify>
# curl: (3) [globbing] bad range in column
<errorcode>
3
</errorcode>
</verify>
</testcase>