From 6a566f26236e4b327723c8ab1053fc27ed6b819c Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Mon, 13 Feb 2023 08:33:09 +0100 Subject: [PATCH 2/2] [Backport] content_encoding: do not reset stage counter for each header Offering: RTOS CVE: CVE-2023-23916 Reference: https://github.com/curl/curl/commit/119fb187192a9ea13dc90d9d20c215fc82799ab9 DTS/AR: DTS2023021511961 type: LTS reason: do not reset stage counter for each header Test 418 verifies Closes #10492 (cherry picked from commit 119fb187192a9ea13dc90d9d20c215fc82799ab9) Conflicts: lib/urldata.h tests/data/Makefile.inc Signed-off-by: chenzanyu --- lib/content_encoding.c | 7 +- lib/urldata.h | 3 +- tests/data/Makefile.inc | 2 +- tests/data/test387 | 2 +- tests/data/test418 | 152 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 159 insertions(+), 7 deletions(-) create mode 100644 tests/data/test418 diff --git a/lib/content_encoding.c b/lib/content_encoding.c index 37aceccdf..cdc5baf21 100644 --- a/lib/content_encoding.c +++ b/lib/content_encoding.c @@ -1036,7 +1036,6 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, const char *enclist, int is_transfer) { struct SingleRequest *k = &data->req; - int counter = 0; unsigned int order = is_transfer? 2: 1; do { @@ -1073,9 +1072,9 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data, if(!encoding) encoding = &error_encoding; /* Defer error at stack use. */ - if(++counter >= MAX_ENCODE_STACK) { - failf(data, "Reject response due to %u content encodings", - counter); + if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { + failf(data, "Reject response due to more than %u content encodings", + MAX_ENCODE_STACK); return CURLE_BAD_CONTENT_ENCODING; } /* Stack the unencoding stage. */ diff --git a/lib/urldata.h b/lib/urldata.h index 5d4db19a6..ba76fc794 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -706,7 +706,8 @@ struct SingleRequest { struct dohdata *doh; /* DoH specific data for this request */ #endif unsigned char setcookies; - BIT(header); /* incoming data has HTTP header */ + unsigned char writer_stack_depth; /* Unencoding stack depth. */ + BIT(header); /* incoming data has HTTP header */ BIT(content_range); /* set TRUE if Content-Range: was found */ BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding upload and we're uploading the last chunk */ diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 831cdb800..37237044e 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -65,7 +65,7 @@ test387 \ test393 test394 test395 test396 test397 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ -test409 test410 \ +test409 test410 test418 \ \ test430 test431 test432 test433 test434 \ \ diff --git a/tests/data/test387 b/tests/data/test387 index 015ec25f1..644fc7f36 100644 --- a/tests/data/test387 +++ b/tests/data/test387 @@ -47,7 +47,7 @@ Accept: */* 61 -curl: (61) Reject response due to 5 content encodings +curl: (61) Reject response due to more than 5 content encodings diff --git a/tests/data/test418 b/tests/data/test418 new file mode 100644 index 000000000..50e974e60 --- /dev/null +++ b/tests/data/test418 @@ -0,0 +1,152 @@ + + + +HTTP +gzip + + + +# +# Server-side + + +HTTP/1.1 200 OK +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip + +-foo- + + + +# +# Client-side + + +http + + +Response with multiple Transfer-Encoding headers + + +http://%HOSTIP:%HTTPPORT/%TESTNUMBER -sS + + + +# +# Verify data after the test has been "shot" + + +GET /%TESTNUMBER HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: curl/%VERSION +Accept: */* + + + +# CURLE_BAD_CONTENT_ENCODING is 61 + +61 + + +curl: (61) Reject response due to more than 5 content encodings + + + -- 2.35.1.windows.2