diff options
author | Seonah Moon <seonah1.moon@samsung.com> | 2019-07-23 17:51:14 +0900 |
---|---|---|
committer | Seonah Moon <seonah1.moon@samsung.com> | 2019-07-23 17:51:18 +0900 |
commit | dcbf5ac83708a6edb385b9fde2a963d9986f2f77 (patch) | |
tree | 68364cd44d4bd4744fa7102e2185b21089c97b29 | |
parent | 01fd1f857cb7b82536f890066f17ec2d7b9f406e (diff) | |
download | curl-dcbf5ac83708a6edb385b9fde2a963d9986f2f77.tar.gz curl-dcbf5ac83708a6edb385b9fde2a963d9986f2f77.tar.bz2 curl-dcbf5ac83708a6edb385b9fde2a963d9986f2f77.zip |
CURL_MAX_INPUT_LENGTH: largest acceptable string input size
This limits all accepted input strings passed to libcurl to be less than
CURL_MAX_INPUT_LENGTH (8000000) bytes, for these API calls:
curl_easy_setopt() and curl_url_set().
The 8000000 number is arbitrary picked and is meant to detect mistakes
or abuse, not to limit actual practical use cases. By limiting the
acceptable string lengths we also reduce the risk of integer overflows
all over.
NOTE: This does not apply to `CURLOPT_POSTFIELDS`.
Test 1559 verifies.
ClosesThis commit closes pull request #3805. #3805
CVE-2019-5435
Change-Id: I0a6d76769e1471352a477a8b1160672757a2de54
-rw-r--r-- | lib/setopt.c | 7 | ||||
-rw-r--r-- | lib/urlapi.c | 8 | ||||
-rw-r--r-- | lib/urldata.h | 4 |
3 files changed, 19 insertions, 0 deletions
diff --git a/lib/setopt.c b/lib/setopt.c index 22956a20f..06c5f5871 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -60,6 +60,13 @@ CURLcode Curl_setstropt(char **charp, const char *s) if(s) { char *str = strdup(s); + if(str) { + size_t len = strlen(str); + if(len > CURL_MAX_INPUT_LENGTH) { + free(str); + return CURLE_BAD_FUNCTION_ARGUMENT; + } + } if(!str) return CURLE_OUT_OF_MEMORY; diff --git a/lib/urlapi.c b/lib/urlapi.c index c53e52343..f1ef28b0b 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -621,6 +621,10 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) ************************************************************/ /* allocate scratch area */ urllen = strlen(url); + if(urllen > CURL_MAX_INPUT_LENGTH) + /* excessive input length */ + return CURLUE_MALFORMED_INPUT; + path = u->scratch = malloc(urllen * 2 + 2); if(!path) return CURLUE_OUT_OF_MEMORY; @@ -1249,6 +1253,10 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, const char *newp = part; size_t nalloc = strlen(part); + if(nalloc > CURL_MAX_INPUT_LENGTH) + /* excessive input length */ + return CURLUE_MALFORMED_INPUT; + if(urlencode) { const char *i; char *o; diff --git a/lib/urldata.h b/lib/urldata.h index 11a6a22c6..5e9b52f29 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -79,6 +79,10 @@ */ #define RESP_TIMEOUT (1800*1000) +/* Max string intput length is a precaution against abuse and to detect junk + input easier and better. */ +#define CURL_MAX_INPUT_LENGTH 8000000 + #include "cookie.h" #include "psl.h" #include "formdata.h" |