ftp,imap,pop3,smtp: reject STARTTLS server response pipelining

If a server pipelines future responses within the STARTTLS response, the former are preserved in the pingpong cache across TLS negotiation and used as responses to the encrypted commands. This fix detects pipelined STARTTLS responses and rejects them with an error. CVE-2021-22947 Bug: https://curl.se/docs/CVE-2021-22947.html
author: Patrick Monnerat <patrick@monnerat.net> 2021-09-07 13:26:42 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-09-13 16:51:31 +0200
commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch)
tree: 61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/ftp.c
parent: 364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff)
download: curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/ftp.c b/lib/ftp.c
index 08d18ca74..0b9c9b732 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2743,6 +2743,9 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
     case FTP_AUTH:
       /* we have gotten the response to a previous AUTH command */
 
+      if(pp->cache_size)
+        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
+
       /* RFC2228 (page 5) says:
        *
        * If the server is willing to accept the named security mechanism,
author	Patrick Monnerat <patrick@monnerat.net>	2021-09-07 13:26:42 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-09-13 16:51:31 +0200
commit	8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch)
tree	61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/ftp.c
parent	364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff)
download	curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz