58 lines
1.9 KiB
Diff
58 lines
1.9 KiB
Diff
commit 00005e46cef3c823411fbe2b929041eacfe9226c
|
|
Author: Daniel Stenberg <daniel@haxx.se>
|
|
Date: Mon May 16 16:28:13 2022 +0200
|
|
|
|
[Backport] content_encoding: return error on too many compression steps
|
|
|
|
Offering: RTOS
|
|
CVE: CVE-2022-32206
|
|
Reference: upstream_commit_id=3a09fbb7f264c67c438d01a30669ce325aa508e2
|
|
|
|
DTS/AR: DTS2022063005656
|
|
type: LTS
|
|
reason: fix CVE-2022-32206 for curl.
|
|
weblink:https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2
|
|
|
|
The max allowed steps is arbitrarily set to 5.
|
|
|
|
Bug: https://curl.se/docs/CVE-2022-32206.html
|
|
CVE-2022-32206
|
|
Reported-by: Harry Sintonen
|
|
Closes #9049
|
|
|
|
Signed-off-by: jiahuasheng <jiahuasheng@h-partners.com>
|
|
|
|
diff --git a/lib/content_encoding.c b/lib/content_encoding.c
|
|
index a84ff543b..e78cd1cab 100644
|
|
--- a/lib/content_encoding.c
|
|
+++ b/lib/content_encoding.c
|
|
@@ -1025,12 +1025,16 @@ static const struct content_encoding *find_encoding(const char *name,
|
|
return NULL;
|
|
}
|
|
|
|
+/* allow no more than 5 "chained" compression steps */
|
|
+#define MAX_ENCODE_STACK 5
|
|
+
|
|
/* Set-up the unencoding stack from the Content-Encoding header value.
|
|
* See RFC 7231 section 3.1.2.2. */
|
|
CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
|
const char *enclist, int maybechunked)
|
|
{
|
|
struct SingleRequest *k = &data->req;
|
|
+ int counter = 0;
|
|
|
|
do {
|
|
const char *name;
|
|
@@ -1065,6 +1069,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
|
|
if(!encoding)
|
|
encoding = &error_encoding; /* Defer error at stack use. */
|
|
|
|
+ if(++counter >= MAX_ENCODE_STACK) {
|
|
+ failf(data, "Reject response due to %u content encodings",
|
|
+ counter);
|
|
+ return CURLE_BAD_CONTENT_ENCODING;
|
|
+ }
|
|
/* Stack the unencoding stage. */
|
|
writer = new_unencoding_writer(data, encoding, k->writer_stack);
|
|
if(!writer)
|