From 701f52670f55830fbf0e592ffe5600a69889be8b Mon Sep 17 00:00:00 2001 From: Brad King Date: Thu, 12 Oct 2023 15:41:37 -0400 Subject: curl: Backport SOCKS5 heap buffer overflow fix from curl 8.4.0 Backport upstream curl commit `fb4415d8ae` (socks: return error if hostname too long for remote resolve, 2023-10-11, curl-8_4_0~2) to address CVE-2023-38545. Issue: #25329 --- Utilities/cmcurl/lib/socks.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Utilities/cmcurl/lib/socks.c b/Utilities/cmcurl/lib/socks.c index d491e08..e7da5b4 100644 --- a/Utilities/cmcurl/lib/socks.c +++ b/Utilities/cmcurl/lib/socks.c @@ -539,9 +539,9 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, /* RFC1928 chapter 5 specifies max 255 chars for domain name in packet */ if(!socks5_resolve_local && hostname_len > 255) { - infof(data, "SOCKS5: server resolving disabled for hostnames of " - "length > 255 [actual len=%zu]", hostname_len); - socks5_resolve_local = TRUE; + failf(data, "SOCKS5: the destination hostname is too long to be " + "resolved remotely by the proxy."); + return CURLPX_LONG_HOSTNAME; } if(auth & ~(CURLAUTH_BASIC | CURLAUTH_GSSAPI)) @@ -882,7 +882,7 @@ static CURLproxycode do_SOCKS5(struct Curl_cfilter *cf, } else { socksreq[len++] = 3; - socksreq[len++] = (char) hostname_len; /* one byte address length */ + socksreq[len++] = (unsigned char) hostname_len; /* one byte length */ memcpy(&socksreq[len], sx->hostname, hostname_len); /* w/o NULL */ len += hostname_len; } -- cgit v0.12