[people/stevee/ipfire-2.x.git] / src / patches / curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch

From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Wed, 11 Oct 2023 07:34:19 +0200
Subject: [PATCH] socks: return error if hostname too long for remote resolve

Prior to this change the state machine attempted to change the remote
resolve to a local resolve if the hostname was longer than 255
characters. Unfortunately that did not work as intended and caused a
security issue.

Bug: https://curl.se/docs/CVE-2023-38545.html

diff --git a/lib/socks.c b/lib/socks.c
index c492d663c4738..a7b5ab07e47d0 100644
--- a/lib/socks.c
+++ b/lib/socks.c
@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
 
     /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
     if(!socks5_resolve_local && hostname_len > 255) {
-      infof(data, "SOCKS5: server resolving disabled for hostnames of "
-            "length > 255 [actual len=%zu]", hostname_len);
-      socks5_resolve_local = TRUE;
+      failf(data, "SOCKS5: the destination hostname is too long to be "
+            "resolved remotely by the proxy.");
+      return CURLPX_LONG_HOSTNAME;
     }
 
     if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
@@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
       }
       else {
         socksreq[len++] = 3;
-        socksreq[len++] = (char) hostname_len; /* one byte address length */
+        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
         memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
         len += hostname_len;
       }
Commit	Line	Data
c48872ef MT	1	From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
	2	From: Jay Satiro <raysatiro@yahoo.com>
	3	Date: Wed, 11 Oct 2023 07:34:19 +0200
	4	Subject: [PATCH] socks: return error if hostname too long for remote resolve
	5
	6	Prior to this change the state machine attempted to change the remote
	7	resolve to a local resolve if the hostname was longer than 255
	8	characters. Unfortunately that did not work as intended and caused a
	9	security issue.
	10
	11	Bug: https://curl.se/docs/CVE-2023-38545.html
	12
	13	diff --git a/lib/socks.c b/lib/socks.c
	14	index c492d663c4738..a7b5ab07e47d0 100644
	15	--- a/lib/socks.c
	16	+++ b/lib/socks.c
	17	@@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
	18
	19	/* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
	20	if(!socks5_resolve_local && hostname_len > 255) {
	21	- infof(data, "SOCKS5: server resolving disabled for hostnames of "
	22	- "length > 255 [actual len=%zu]", hostname_len);
	23	- socks5_resolve_local = TRUE;
	24	+ failf(data, "SOCKS5: the destination hostname is too long to be "
	25	+ "resolved remotely by the proxy.");
	26	+ return CURLPX_LONG_HOSTNAME;
	27	}
	28
	29	if(auth & ~(CURLAUTH_BASIC \| CURLAUTH_GSSAPI))
	30	@@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
	31	}
	32	else {
	33	socksreq[len++] = 3;
	34	- socksreq[len++] = (char) hostname_len; /* one byte address length */
	35	+ socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
	36	memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
	37	len += hostname_len;
	38	}