]>
Commit | Line | Data |
---|---|---|
c48872ef MT |
1 | From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001 |
2 | From: Jay Satiro <raysatiro@yahoo.com> | |
3 | Date: Wed, 11 Oct 2023 07:34:19 +0200 | |
4 | Subject: [PATCH] socks: return error if hostname too long for remote resolve | |
5 | ||
6 | Prior to this change the state machine attempted to change the remote | |
7 | resolve to a local resolve if the hostname was longer than 255 | |
8 | characters. Unfortunately that did not work as intended and caused a | |
9 | security issue. | |
10 | ||
11 | Bug: https://curl.se/docs/CVE-2023-38545.html | |
12 | ||
13 | diff --git a/lib/socks.c b/lib/socks.c | |
14 | index c492d663c4738..a7b5ab07e47d0 100644 | |
15 | --- a/lib/socks.c | |
16 | +++ b/lib/socks.c | |
17 | @@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, | |
18 | ||
19 | /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ | |
20 | if(!socks5_resolve_local && hostname_len > 255) { | |
21 | - infof(data, "SOCKS5: server resolving disabled for hostnames of " | |
22 | - "length > 255 [actual len=%zu]", hostname_len); | |
23 | - socks5_resolve_local = TRUE; | |
24 | + failf(data, "SOCKS5: the destination hostname is too long to be " | |
25 | + "resolved remotely by the proxy."); | |
26 | + return CURLPX_LONG_HOSTNAME; | |
27 | } | |
28 | ||
29 | if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) | |
30 | @@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, | |
31 | } | |
32 | else { | |
33 | socksreq[len++] = 3; | |
34 | - socksreq[len++] = (char) hostname_len; /* one byte address length */ | |
35 | + socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ | |
36 | memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ | |
37 | len += hostname_len; | |
38 | } |