KurohiroH1:1721098curl: CVE-2022-35260: .netrc parser out-of-bounds access
0.002 Low
EPSS
Percentile
52.1%
Summary:
Curl expects the .netrc file to have space characters. So if there is no space character, it will do an out-of-bounds read and a 1-byte out-of-bounds write.
This can happen multiple times depending on the state of the memory.
Steps To Reproduce:
curl --netrc-file .netrc test.local
“.netrc” is attached.
The content is ‘a’ for 4095 bytes.
Depending on memory conditions, even single-byte files can cause problems.
It’s not exactly just spaces and newlines.
The condition is that the .netrc file does not contain characters for which ISSPACE() returns true (so it is also a condition that there is no line feed code).
There is a problem with parsenetrc() in lib/netrc.c.
parsenetrc() has the following loop.
while(!done && fgets(netrcbuffer, netrcbuffsize, file)) {
char *tok;
char *tok_end;
bool quoted;
if(state == MACDEF) {
if((netrcbuffer[0] == '\n') || (netrcbuffer[0] == '\r'))
state = NOTHING;
else
continue;
}
tok = netrcbuffer;
while(tok) {
while(ISSPACE(*tok))
tok++;
/* tok is first non-space letter */
if(!*tok || (*tok == '#'))
/* end of line or the rest is a comment */
break;
/* leading double-quote means quoted string */
quoted = (*tok == '\"');
tok_end = tok;
if(!quoted) {
while(!ISSPACE(*tok_end))
tok_end++;
*tok_end = 0;
}
The ‘a’ and the terminating character ‘\0’ in the .netrc file are characters for which ISSPACE() returns false, so while on line 25 is true(!false).
This causes an out-of-bounds read.
Also, line 27 is an out-of-bounds write. (1 byte for '\0).
Remediation ideas:
I think it would be better to include the condition that *tok is not NULL in the while statement.
Impact
Application crash plus other as yet undetermined consequences.
Related
