From 407f47d8353ab3d4ee7a28a24c8cfd61e3377fd4 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 19 Dec 2022 08:36:55 +0100 Subject: [PATCH 1/2] http: use the IDN decoded name in HSTS checks Otherwise it stores the info HSTS into the persistent cache for the IDN name which will not match when the HSTS status is later checked for using the decoded name. Reported-by: Hiroki Kurosawa Closes #10111 CVE: CVE-2022-43551 Signed-off-by: zhouhaifeng --- lib/http.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/http.c b/lib/http.c index 18a6921f1..d666efc7d 100644 --- a/lib/http.c +++ b/lib/http.c @@ -3671,7 +3671,7 @@ CURLcode Curl_http_header(struct Curl_easy *data, struct connectdata *conn, else if(data->hsts && checkprefix("Strict-Transport-Security:", headp) && (conn->handler->flags & PROTOPT_SSL)) { CURLcode check = - Curl_hsts_parse(data->hsts, data->state.up.hostname, + Curl_hsts_parse(data->hsts, conn->host.name, headp + strlen("Strict-Transport-Security:")); if(check) infof(data, "Illegal STS header skipped"); -- Gitee From 0865ec4aa82b58f296d0cfb4c8c5d942b4dc2891 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 19 Dec 2022 08:38:37 +0100 Subject: [PATCH 2/2] smb/telnet: do not free the protocol struct in *_done() It is managed by the generic layer. Reported-by: Trail of Bits Closes #10112 CVE: CVE-2022-43552 Signed-off-by: zhouhaifeng --- lib/smb.c | 14 ++------------ lib/telnet.c | 3 --- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/lib/smb.c b/lib/smb.c index fd49cf6aa..1c458a3dd 100644 --- a/lib/smb.c +++ b/lib/smb.c @@ -60,8 +60,6 @@ static CURLcode smb_connect(struct Curl_easy *data, bool *done); static CURLcode smb_connection_state(struct Curl_easy *data, bool *done); static CURLcode smb_do(struct Curl_easy *data, bool *done); static CURLcode smb_request_state(struct Curl_easy *data, bool *done); -static CURLcode smb_done(struct Curl_easy *data, CURLcode status, - bool premature); static CURLcode smb_disconnect(struct Curl_easy *data, struct connectdata *conn, bool dead); static int smb_getsock(struct Curl_easy *data, struct connectdata *conn, @@ -76,7 +74,7 @@ const struct Curl_handler Curl_handler_smb = { "SMB", /* scheme */ smb_setup_connection, /* setup_connection */ smb_do, /* do_it */ - smb_done, /* done */ + ZERO_NULL, /* done */ ZERO_NULL, /* do_more */ smb_connect, /* connect_it */ smb_connection_state, /* connecting */ @@ -103,7 +101,7 @@ const struct Curl_handler Curl_handler_smbs = { "SMBS", /* scheme */ smb_setup_connection, /* setup_connection */ smb_do, /* do_it */ - smb_done, /* done */ + ZERO_NULL, /* done */ ZERO_NULL, /* do_more */ smb_connect, /* connect_it */ smb_connection_state, /* connecting */ @@ -940,14 +938,6 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done) return CURLE_OK; } -static CURLcode smb_done(struct Curl_easy *data, CURLcode status, - bool premature) -{ - (void) premature; - Curl_safefree(data->req.p.smb); - return status; -} - static CURLcode smb_disconnect(struct Curl_easy *data, struct connectdata *conn, bool dead) { diff --git a/lib/telnet.c b/lib/telnet.c index a81bb81c3..579320341 100644 --- a/lib/telnet.c +++ b/lib/telnet.c @@ -1246,9 +1246,6 @@ static CURLcode telnet_done(struct Curl_easy *data, curl_slist_free_all(tn->telnet_vars); tn->telnet_vars = NULL; - - Curl_safefree(data->req.p.telnet); - return CURLE_OK; } -- Gitee