From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 27 Dec 2022 16:19:51 +0000 (+0100)
Subject: socketpair: allow localhost MITM sniffers
X-Git-Tag: curl-7_88_0~210
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7fa449ca0c8ccccbb25a2f7023f09ae2184a78bb;p=thirdparty%2Fcurl.git

socketpair: allow localhost MITM sniffers

Windows allow programs to MITM connections to localhost. The previous
check here would detect that and error out. This new method writes data
to verify the pipe thus allowing MITM.

Reported-by: SerusDev on github
Fixes #10144
Closes #10169
---

diff --git a/lib/socketpair.c b/lib/socketpair.c
index 0f8798f087..20e22bcb3c 100644
--- a/lib/socketpair.c
+++ b/lib/socketpair.c
@@ -65,7 +65,7 @@ int Curl_socketpair(int domain, int type, int protocol,
   union {
     struct sockaddr_in inaddr;
     struct sockaddr addr;
-  } a, a2;
+  } a;
   curl_socket_t listener;
   curl_socklen_t addrlen = sizeof(a.inaddr);
   int reuse = 1;
@@ -107,24 +107,21 @@ int Curl_socketpair(int domain, int type, int protocol,
   pfd[0].fd = listener;
   pfd[0].events = POLLIN;
   pfd[0].revents = 0;
-  (void)Curl_poll(pfd, 1, 10*1000); /* 10 seconds */
+  (void)Curl_poll(pfd, 1, 1000); /* one second */
   socks[1] = accept(listener, NULL, NULL);
   if(socks[1] == CURL_SOCKET_BAD)
     goto error;
+  else {
+    struct curltime check;
+    struct curltime now = Curl_now();
 
-  /* verify that nothing else connected */
-  addrlen = sizeof(a.inaddr);
-  if(getsockname(socks[0], &a.addr, &addrlen) == -1 ||
-     addrlen < (int)sizeof(a.inaddr))
-    goto error;
-  addrlen = sizeof(a2.inaddr);
-  if(getpeername(socks[1], &a2.addr, &addrlen) == -1 ||
-     addrlen < (int)sizeof(a2.inaddr))
-    goto error;
-  if(a.inaddr.sin_family != a2.inaddr.sin_family ||
-     a.inaddr.sin_addr.s_addr != a2.inaddr.sin_addr.s_addr ||
-     a.inaddr.sin_port != a2.inaddr.sin_port)
-    goto error;
+    /* write data to the socket */
+    swrite(socks[0], &now, sizeof(now));
+    /* verify that we read the correct data */
+    if((sizeof(now) != sread(socks[1], &check, sizeof(check)) ||
+        memcmp(&now, &check, sizeof(check))))
+      goto error;
+  }
 
   sclose(listener);
   return 0;