aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-10-19 14:41:14 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-10-20 15:06:25 +0200
commit769647e714b8da41bdb72720bf02dce56033e02e (patch)
tree3d82a374ee3f68721515637042a5bd01b4ebbbdb /lib
parent8351ab45105c3e58c38205c045477198ff887829 (diff)
ftp: reject illegal IP/port in PASV 227 response
... by using range checks. Among other things, this avoids an undefined behavior for a left shift that could happen on negative or very large values. Closes #1997 Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694
Diffstat (limited to 'lib')
-rw-r--r--lib/ftp.c9
1 files changed, 5 insertions, 4 deletions
diff --git a/lib/ftp.c b/lib/ftp.c
index 0c9df7890..edcfd5f80 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -1874,8 +1874,8 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
else if((ftpc->count1 == 1) &&
(ftpcode == 227)) {
/* positive PASV response */
- int ip[4];
- int port[2];
+ unsigned int ip[4];
+ unsigned int port[2];
/*
* Scan for a sequence of six comma-separated numbers and use them as
@@ -1887,14 +1887,15 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
* "227 Entering passive mode. 127,0,0,1,4,51"
*/
while(*str) {
- if(6 == sscanf(str, "%d,%d,%d,%d,%d,%d",
+ if(6 == sscanf(str, "%u,%u,%u,%u,%u,%u",
&ip[0], &ip[1], &ip[2], &ip[3],
&port[0], &port[1]))
break;
str++;
}
- if(!*str) {
+ if(!*str || (ip[0] > 255) || (ip[1] > 255) || (ip[2] > 255) ||
+ (ip[3] > 255) || (port[0] > 255) || (port[1] > 255) ) {
failf(data, "Couldn't interpret the 227-response");
return CURLE_FTP_WEIRD_227_FORMAT;
}