From 29b251362e1839d7094993edbed8f9467069773f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 25 Sep 2017 00:35:22 +0200 Subject: [PATCH] FTP: zero terminate the entry path even on bad input ... a single double quote could leave the entry path buffer without a zero terminating byte. CVE-2017-1000254 Test 1152 added to verify. Reported-by: Max Dymond Bug: https://curl.haxx.se/docs/adv_20171004.html --- lib/ftp.c | 7 ++++-- 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 tests/data/test1152 diff --git a/lib/ftp.c b/lib/ftp.c index 4860509f3..54ba4057f 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -2777,10 +2777,11 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) if(ftpcode == 257) { char *ptr = &data->state.buffer[4]; /* start on the first letter */ const size_t buf_size = data->set.buffer_size; char *dir; char *store; + bool entry_extracted = FALSE; dir = malloc(nread + 1); if(!dir) return CURLE_OUT_OF_MEMORY; @@ -2808,20 +2809,22 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) *store = ptr[1]; ptr++; } else { /* end of path */ - *store = '\0'; /* zero terminate */ + entry_extracted = TRUE; break; /* get out of this loop */ } } else *store = *ptr; store++; ptr++; } - + *store = '\0'; /* zero terminate */ + } + if(entry_extracted) { /* If the path name does not look like an absolute path (i.e.: it does not start with a '/'), we probably need some server-dependent adjustments. For example, this is the case when connecting to an OS400 FTP server: this server supports two name syntaxes, the default one being incompatible with standard paths. In