From 769647e714b8da41bdb72720bf02dce56033e02e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 19 Oct 2017 14:41:14 +0200 Subject: ftp: reject illegal IP/port in PASV 227 response ... by using range checks. Among other things, this avoids an undefined behavior for a left shift that could happen on negative or very large values. Closes #1997 Detected by OSS-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3694 --- lib/ftp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/ftp.c b/lib/ftp.c index 0c9df7890..edcfd5f80 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -1874,8 +1874,8 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, else if((ftpc->count1 == 1) && (ftpcode == 227)) { /* positive PASV response */ - int ip[4]; - int port[2]; + unsigned int ip[4]; + unsigned int port[2]; /* * Scan for a sequence of six comma-separated numbers and use them as @@ -1887,14 +1887,15 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, * "227 Entering passive mode. 127,0,0,1,4,51" */ while(*str) { - if(6 == sscanf(str, "%d,%d,%d,%d,%d,%d", + if(6 == sscanf(str, "%u,%u,%u,%u,%u,%u", &ip[0], &ip[1], &ip[2], &ip[3], &port[0], &port[1])) break; str++; } - if(!*str) { + if(!*str || (ip[0] > 255) || (ip[1] > 255) || (ip[2] > 255) || + (ip[3] > 255) || (port[0] > 255) || (port[1] > 255) ) { failf(data, "Couldn't interpret the 227-response"); return CURLE_FTP_WEIRD_227_FORMAT; } -- cgit v1.2.3