From f121575c0b5fe4bc10371c993bcb78fec23428ec Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 14 Oct 2017 17:20:13 +0200 Subject: [PATCH] setopt: range check most long options ... filter early instead of risking "funny values" having to be dealt with elsewhere. --- lib/url.c | 193 +++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 154 insertions(+), 39 deletions(-) diff --git a/lib/url.c b/lib/url.c index 177952372..76c09c72a 100644 --- a/lib/url.c +++ b/lib/url.c @@ -721,13 +721,14 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, char *argptr; CURLcode result = CURLE_OK; long arg; -#ifndef CURL_DISABLE_HTTP curl_off_t bigsize; -#endif switch(option) { case CURLOPT_DNS_CACHE_TIMEOUT: - data->set.dns_cache_timeout = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.dns_cache_timeout = arg; break; case CURLOPT_DNS_USE_GLOBAL_CACHE: /* remember we want this enabled */ @@ -765,7 +766,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * Set the absolute number of maximum simultaneous alive connection that * libcurl is allowed to have. */ - data->set.maxconnects = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.maxconnects = arg; break; case CURLOPT_FORBID_REUSE: /* @@ -876,7 +880,7 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * before it is considered failure. For pingpong protocols. */ arg = va_arg(param, long); - if((arg>=0) && (arg < (INT_MAX/1000))) + if((arg >= 0) && (arg < (INT_MAX/1000))) data->set.server_response_timeout = arg * 1000; else return CURLE_BAD_FUNCTION_ARGUMENT; @@ -892,7 +896,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * TFTP option that specifies the block size to use for data transmission. */ - data->set.tftp_blksize = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.tftp_blksize = arg; break; case CURLOPT_DIRLISTONLY: /* @@ -911,13 +918,19 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * How do access files over FTP. */ - data->set.ftp_filemethod = (curl_ftpfile)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURLFTPMETHOD_DEFAULT) || (arg > CURLFTPMETHOD_SINGLECWD)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.ftp_filemethod = (curl_ftpfile)arg; break; case CURLOPT_NETRC: /* * Parse the $HOME/.netrc file */ - data->set.use_netrc = (enum CURL_NETRC_OPTION)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURL_NETRC_IGNORED) || (arg > CURL_NETRC_REQUIRED)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.use_netrc = (enum CURL_NETRC_OPTION)arg; break; case CURLOPT_NETRC_FILE: /* @@ -940,7 +953,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * Set HTTP time condition. This must be one of the defines in the * curl/curl.h header file. */ - data->set.timecondition = (curl_TimeCond)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURL_TIMECOND_NONE) || (arg > CURL_TIMECOND_LASTMOD)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.timecondition = (curl_TimeCond)arg; break; case CURLOPT_TIMEVALUE: /* @@ -956,6 +972,8 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, */ #ifdef USE_SSL arg = va_arg(param, long); + if((arg < CURL_SSLVERSION_DEFAULT) || (arg > CURL_SSLVERSION_TLSv1_3)) + return CURLE_BAD_FUNCTION_ARGUMENT; data->set.ssl.primary.version = C_SSLVERSION_VALUE(arg); data->set.ssl.primary.version_max = C_SSLVERSION_MAX_VALUE(arg); #else @@ -969,6 +987,8 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, */ #ifdef USE_SSL arg = va_arg(param, long); + if((arg < CURL_SSLVERSION_DEFAULT) || (arg > CURL_SSLVERSION_TLSv1_3)) + return CURLE_BAD_FUNCTION_ARGUMENT; data->set.proxy_ssl.primary.version = C_SSLVERSION_VALUE(arg); data->set.proxy_ssl.primary.version_max = C_SSLVERSION_MAX_VALUE(arg); #else @@ -1026,7 +1046,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * The maximum amount of hops you allow curl to follow Location: * headers. This should mostly be used to detect never-ending loops. */ - data->set.maxredirs = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.maxredirs = arg; break; case CURLOPT_POSTREDIR: @@ -1041,6 +1064,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * other - POST is kept as POST after 301 and 302 */ arg = va_arg(param, long); + if(arg < CURL_REDIR_GET_ALL) + /* no return error on too high numbers since the bitmask could be + extended in a future */ + return CURLE_BAD_FUNCTION_ARGUMENT; data->set.keep_post = arg & CURL_REDIR_POST_ALL; } break; @@ -1120,6 +1147,8 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * figure it out. Enables binary posts. */ bigsize = va_arg(param, long); + if(bigsize < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; if(data->set.postfieldsize < bigsize && data->set.postfields == data->set.str[STRING_COPYPOSTFIELDS]) { @@ -1369,9 +1398,14 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * the listed enums in curl/curl.h. */ arg = va_arg(param, long); + if(arg < CURL_HTTP_VERSION_NONE) + return CURLE_BAD_FUNCTION_ARGUMENT; #ifndef USE_NGHTTP2 if(arg >= CURL_HTTP_VERSION_2) return CURLE_UNSUPPORTED_PROTOCOL; +#else + if(arg > CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE) + return CURLE_UNSUPPORTED_PROTOCOL; #endif data->set.httpversion = arg; break; @@ -1381,7 +1415,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * Time to wait for a response to a HTTP request containing an * Expect: 100-continue header before sending the data anyway. */ - data->set.expect_100_timeout = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.expect_100_timeout = arg; break; #endif /* CURL_DISABLE_HTTP */ @@ -1463,7 +1500,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Explicitly set HTTP proxy port number. */ - data->set.proxyport = va_arg(param, long); + arg = va_arg(param, long); + if((arg < 0) || (arg > 65535)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.proxyport = arg; break; case CURLOPT_PROXYAUTH: @@ -1546,7 +1586,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Set proxy type. HTTP/HTTP_1_0/SOCKS4/SOCKS4a/SOCKS5/SOCKS5_HOSTNAME */ - data->set.proxytype = (curl_proxytype)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURLPROXY_HTTP) || (arg > CURLPROXY_SOCKS5_HOSTNAME)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.proxytype = (curl_proxytype)arg; break; case CURLOPT_PROXY_TRANSFER_MODE: @@ -1645,7 +1688,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, break; case CURLOPT_FTP_SSL_CCC: - data->set.ftp_ccc = (curl_ftpccc)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURLFTPSSL_CCC_NONE) || (arg > CURLFTPSSL_CCC_ACTIVE)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.ftp_ccc = (curl_ftpccc)arg; break; case CURLOPT_FTP_SKIP_PASV_IP: @@ -1668,42 +1714,60 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * If known, this should inform curl about the file size of the * to-be-uploaded file. */ - data->set.filesize = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.filesize = arg; break; case CURLOPT_INFILESIZE_LARGE: /* * If known, this should inform curl about the file size of the * to-be-uploaded file. */ - data->set.filesize = va_arg(param, curl_off_t); + bigsize = va_arg(param, curl_off_t); + if(bigsize < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.filesize = bigsize; break; case CURLOPT_LOW_SPEED_LIMIT: /* * The low speed limit that if transfers are below this for * CURLOPT_LOW_SPEED_TIME, the transfer is aborted. */ - data->set.low_speed_limit = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.low_speed_limit = arg; break; case CURLOPT_MAX_SEND_SPEED_LARGE: /* * When transfer uploads are faster then CURLOPT_MAX_SEND_SPEED_LARGE * bytes per second the transfer is throttled.. */ - data->set.max_send_speed = va_arg(param, curl_off_t); + bigsize = va_arg(param, curl_off_t); + if(bigsize < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.max_send_speed = bigsize; break; case CURLOPT_MAX_RECV_SPEED_LARGE: /* * When receiving data faster than CURLOPT_MAX_RECV_SPEED_LARGE bytes per * second the transfer is throttled.. */ - data->set.max_recv_speed = va_arg(param, curl_off_t); + bigsize = va_arg(param, curl_off_t); + if(bigsize < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.max_recv_speed = bigsize; break; case CURLOPT_LOW_SPEED_TIME: /* * The low speed time that if transfers are below the set * CURLOPT_LOW_SPEED_LIMIT during this time, the transfer is aborted. */ - data->set.low_speed_time = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.low_speed_time = arg; break; case CURLOPT_URL: /* @@ -1722,7 +1786,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * The port number to use when getting the URL */ - data->set.use_port = va_arg(param, long); + arg = va_arg(param, long); + if((arg < 0) || (arg > 65535)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.use_port = arg; break; case CURLOPT_TIMEOUT: /* @@ -1730,14 +1797,17 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * operation. */ arg = va_arg(param, long); - if((arg>=0) && (arg < (INT_MAX/1000))) + if((arg >= 0) && (arg < (INT_MAX/1000))) data->set.timeout = arg * 1000; else return CURLE_BAD_FUNCTION_ARGUMENT; break; case CURLOPT_TIMEOUT_MS: - data->set.timeout = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.timeout = arg; break; case CURLOPT_CONNECTTIMEOUT: @@ -1745,21 +1815,27 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, * The maximum time you allow curl to use to connect. */ arg = va_arg(param, long); - if((arg>=0) && (arg < (INT_MAX/1000))) + if((arg >= 0) && (arg < (INT_MAX/1000))) data->set.connecttimeout = arg * 1000; else return CURLE_BAD_FUNCTION_ARGUMENT; break; case CURLOPT_CONNECTTIMEOUT_MS: - data->set.connecttimeout = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.connecttimeout = arg; break; case CURLOPT_ACCEPTTIMEOUT_MS: /* * The maximum time you allow curl to wait for server connect */ - data->set.accepttimeout = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.accepttimeout = arg; break; case CURLOPT_USERPWD: @@ -1908,13 +1984,19 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Resume transfer at the given file position */ - data->set.set_resume_from = va_arg(param, long); + arg = va_arg(param, long); + if(arg < -1) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.set_resume_from = arg; break; case CURLOPT_RESUME_FROM_LARGE: /* * Resume transfer at the given file position */ - data->set.set_resume_from = va_arg(param, curl_off_t); + bigsize = va_arg(param, curl_off_t); + if(bigsize < -1) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.set_resume_from = bigsize; break; case CURLOPT_DEBUGFUNCTION: /* @@ -2143,9 +2225,12 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, break; case CURLOPT_GSSAPI_DELEGATION: /* - * GSS-API credential delegation + * GSS-API credential delegation bitmask */ - data->set.gssapi_delegation = va_arg(param, long); + arg = va_arg(param, long); + if(arg < CURLGSSAPI_DELEGATION_NONE) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.gssapi_delegation = arg; break; case CURLOPT_SSL_VERIFYPEER: /* @@ -2488,7 +2573,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Set the maximum size of a file to download. */ - data->set.max_filesize = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.max_filesize = arg; break; #ifdef USE_SSL @@ -2496,7 +2584,10 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Make transfers attempt to use SSL/TLS. */ - data->set.use_ssl = (curl_usessl)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.use_ssl = (curl_usessl)arg; break; case CURLOPT_SSL_OPTIONS: @@ -2516,18 +2607,27 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Set a specific auth for FTP-SSL transfers. */ - data->set.ftpsslauth = (curl_ftpauth)va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURLFTPAUTH_DEFAULT) || (arg > CURLFTPAUTH_TLS)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.ftpsslauth = (curl_ftpauth)arg; break; case CURLOPT_IPRESOLVE: - data->set.ipver = va_arg(param, long); + arg = va_arg(param, long); + if((arg < CURL_IPRESOLVE_WHATEVER) || (arg > CURL_IPRESOLVE_V6)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.ipver = arg; break; case CURLOPT_MAXFILESIZE_LARGE: /* * Set the maximum size of a file to download. */ - data->set.max_filesize = va_arg(param, curl_off_t); + bigsize = va_arg(param, curl_off_t); + if(bigsize < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.max_filesize = bigsize; break; case CURLOPT_TCP_NODELAY: @@ -2612,6 +2712,9 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, #ifdef USE_LIBSSH2 /* we only include SSH options if explicitly built to support SSH */ case CURLOPT_SSH_AUTH_TYPES: + arg = va_arg(param, long); + if(arg < CURLSSH_AUTH_NONE) + return CURLE_BAD_FUNCTION_ARGUMENT; data->set.ssh_auth_types = va_arg(param, long); break; @@ -2681,14 +2784,20 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, /* * Uses these permissions instead of 0644 */ - data->set.new_file_perms = va_arg(param, long); + arg = va_arg(param, long); + if((arg < 0) || (arg > 0777)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.new_file_perms = arg; break; case CURLOPT_NEW_DIRECTORY_PERMS: /* * Uses these permissions instead of 0755 */ - data->set.new_directory_perms = va_arg(param, long); + arg = va_arg(param, long); + if((arg < 0) || (arg > 0777)) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.new_directory_perms = arg; break; case CURLOPT_ADDRESS_SCOPE: @@ -2935,10 +3044,16 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option, data->set.tcp_keepalive = (0 != va_arg(param, long)) ? TRUE : FALSE; break; case CURLOPT_TCP_KEEPIDLE: - data->set.tcp_keepidle = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.tcp_keepidle = arg; break; case CURLOPT_TCP_KEEPINTVL: - data->set.tcp_keepintvl = va_arg(param, long); + arg = va_arg(param, long); + if(arg < 0) + return CURLE_BAD_FUNCTION_ARGUMENT; + data->set.tcp_keepintvl = arg; break; case CURLOPT_TCP_FASTOPEN: #if defined(CONNECT_DATA_IDEMPOTENT) || defined(MSG_FASTOPEN)