From 5d29d8ab34cb33cddd904e68349f77037ef1739a Mon Sep 17 00:00:00 2001 From: whuyxa Date: Sun, 6 Aug 2023 22:31:02 +0800 Subject: [PATCH] Repair CVE-2023-23916 --- lib/content_encoding.c | 7 +- lib/urldata.h | 1 + tests/data/Makefile.inc | 2 +- tests/data/test418 | 155 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 160 insertions(+), 5 deletions(-) create mode 100644 tests/data/test418 diff --git a/lib/content_encoding.c b/lib/content_encoding.c index e646f310e..fd0ca8a1e 100644 --- a/lib/content_encoding.c +++ b/lib/content_encoding.c @@ -944,7 +944,6 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, { struct Curl_easy *data = conn->data; struct SingleRequest *k = &data->req; - int counter = 0; do { const char *name; @@ -979,9 +978,9 @@ CURLcode Curl_build_unencoding_stack(struct connectdata *conn, if(!encoding) encoding = &error_encoding; /* Defer error at stack use. */ - if(++counter >= MAX_ENCODE_STACK) { - failf(data, "Reject response due to %u content encodings", - counter); + if(k->writer_stack_depth++ >= MAX_ENCODE_STACK) { + failf(data, "Reject response due to more than %u content encodings", + MAX_ENCODE_STACK); return CURLE_BAD_CONTENT_ENCODING; } /* Stack the unencoding stage. */ diff --git a/lib/urldata.h b/lib/urldata.h index 8f3c31dc9..21a88f001 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -643,6 +643,7 @@ struct SingleRequest { #ifndef CURL_DISABLE_DOH struct dohdata doh; /* DoH specific data for this request */ #endif + unsigned char writer_stack_depth; /* Unencoding stack depth. */ BIT(header); /* incoming data has HTTP header */ BIT(content_range); /* set TRUE if Content-Range: was found */ BIT(upload_done); /* set to TRUE when doing chunked transfer-encoding diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 52bdaec7c..c005d5fb2 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -63,7 +63,7 @@ test350 test351 test352 test353 test354 test355 test356 \ test393 test394 test395 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ -test409 \ +test409 test418 \ \ test490 test491 test492 \ \ diff --git a/tests/data/test418 b/tests/data/test418 new file mode 100644 index 000000000..6035e3fd3 --- /dev/null +++ b/tests/data/test418 @@ -0,0 +1,155 @@ + + + +HTTP +gzip + + + +# +# Server-side + + +HTTP/1.1 200 OK +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip +Transfer-Encoding: gzip + +-foo- + + + +# +# Client-side + + +http + + +Response with multiple Transfer-Encoding headers + + +http://%HOSTIP:%HTTPPORT/418 -sS + + + +# +# Verify data after the test has been "shot" + + +^User-Agent: curl/.* + + +GET /418 HTTP/1.1 +Host: %HOSTIP:%HTTPPORT +User-Agent: curl/7.68.0 +Accept: */* + + + +# CURLE_BAD_CONTENT_ENCODING is 61 + +61 + + +curl: (61) Reject response due to more than 5 content encodings + + +