src/patches/curl-8.4.0-fb4415d8aee6c1045be932a34fe6107c2f5ed147.patch

   1 From fb4415d8aee6c1045be932a34fe6107c2f5ed147 Mon Sep 17 00:00:00 2001
   2 From: Jay Satiro <raysatiro@yahoo.com>
   3 Date: Wed, 11 Oct 2023 07:34:19 +0200
   4 Subject: [PATCH] socks: return error if hostname too long for remote resolve
   5
   6 Prior to this change the state machine attempted to change the remote
   7 resolve to a local resolve if the hostname was longer than 255
   8 characters. Unfortunately that did not work as intended and caused a
   9 security issue.
  10
  11 Bug: https://curl.se/docs/CVE-2023-38545.html
  12
  13 diff --git a/lib/socks.c b/lib/socks.c
  14 index c492d663c4738..a7b5ab07e47d0 100644
  15 --- a/lib/socks.c
  16 +++ b/lib/socks.c
  17 @@ -587,9 +587,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
  18
  19      /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */
  20      if(!socks5_resolve_local && hostname_len > 255) {
  21 -      infof(data, "SOCKS5: server resolving disabled for hostnames of "
  22 -            "length > 255 [actual len=%zu]", hostname_len);
  23 -      socks5_resolve_local = TRUE;
  24 +      failf(data, "SOCKS5: the destination hostname is too long to be "
  25 +            "resolved remotely by the proxy.");
  26 +      return CURLPX_LONG_HOSTNAME;
  27      }
  28
  29      if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI))
  30 @@ -903,7 +903,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf,
  31        }
  32        else {
  33          socksreq[len++] = 3;
  34 -        socksreq[len++] = (char) hostname_len; /* one byte address length */
  35 +        socksreq[len++] = (unsigned char) hostname_len; /* one byte length */
  36          memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */
  37          len += hostname_len;
  38        }