From: alhudz <al.hudz.k@gmail.com>
Date: Sat, 13 Jun 2026 08:04:51 +0000 (+0530)
Subject: pingpong: reject nul byte in server response line
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2f8fb98c5f0c4ff490a6c836634b69034d2a7cd9;p=thirdparty%2Fcurl.git

pingpong: reject nul byte in server response line

Add test 2108 covering the rejection over FTP. Drop the now-vestigial
nul bytes from test 1282; they exercised the removed Kerberos FTP
security buffer check and now trip this rejection before the 633
login-denied path is reached.

Closes #21996
---

diff --git a/lib/pingpong.c b/lib/pingpong.c
index ae3f7faa30..b40d968b3f 100644
--- a/lib/pingpong.c
+++ b/lib/pingpong.c
@@ -292,6 +292,13 @@ CURLcode Curl_pp_readresp(struct Curl_easy *data,
            the line is not really terminated until the LF comes */
         size_t length = nl - line + 1;
 
+        if(memchr(line, 0, length)) {
+          /* The response line is passed on as a "header" below, so reject an
+             embedded nul the same way verify_header() does for HTTP. */
+          failf(data, "Nul byte in server response line");
+          return CURLE_WEIRD_SERVER_REPLY;
+        }
+
         /* output debug output if that is requested */
         Curl_debug(data, CURLINFO_HEADER_IN, line, length);
 
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index 705b8be4cd..6e8eca22bd 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -254,6 +254,7 @@ test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \
 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \
 test2088 test2089 test2090 test2091 test2092 \
 test2100 test2101 test2102 test2103 test2104 test2105 test2106 test2107 \
+test2108 \
 \
 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
 test2208 \
diff --git a/tests/data/test1282 b/tests/data/test1282
index 06cf5170ed..774f54cffa 100644
--- a/tests/data/test1282
+++ b/tests/data/test1282
@@ -10,7 +10,7 @@ RETR
 # Server-side
 <reply>
 <servercmd>
-REPLY PASS 633 XXXXXXXX\x00\x00XXXXXXXX
+REPLY PASS 633 XXXXXXXXXXXXXXXX
 </servercmd>
 </reply>
 
diff --git a/tests/data/test2108 b/tests/data/test2108
new file mode 100644
index 0000000000..481d09357e
--- /dev/null
+++ b/tests/data/test2108
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+FTP
+</keywords>
+</info>
+# Server-side
+<reply>
+<servercmd>
+REPLY PASS 230 logged\x00 in
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<name>
+FTP rejects a nul byte in a server response line
+</name>
+<command>
+ftp://%HOSTIP:%FTPPORT/%TESTNUMBER
+</command>
+
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol crlf="yes">
+USER anonymous
+PASS ftp@example.com
+</protocol>
+
+# 8 == CURLE_WEIRD_SERVER_REPLY
+<errorcode>
+8
+</errorcode>
+</verify>
+</testcase>