ftp,imap,pop3,smtp: reject STARTTLS server response pipelining

If a server pipelines future responses within the STARTTLS response, the former are preserved in the pingpong cache across TLS negotiation and used as responses to the encrypted commands. This fix detects pipelined STARTTLS responses and rejects them with an error. CVE-2021-22947 Bug: https://curl.se/docs/CVE-2021-22947.html
author: Patrick Monnerat <patrick@monnerat.net> 2021-09-07 13:26:42 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-09-13 16:51:31 +0200
commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch)
tree: 61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/imap.c
parent: 364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff)
download: curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/imap.c b/lib/imap.c
index 923b1d59b..6163899bb 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -963,6 +963,10 @@ static CURLcode imap_state_starttls_resp(struct Curl_easy *data,
 
   (void)instate; /* no use for this yet */
 
+  /* Pipelining in response is forbidden. */
+  if(data->conn->proto.imapc.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
   if(imapcode != IMAP_RESP_OK) {
     if(data->set.use_ssl != CURLUSESSL_TRY) {
       failf(data, "STARTTLS denied");
author	Patrick Monnerat <patrick@monnerat.net>	2021-09-07 13:26:42 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-09-13 16:51:31 +0200
commit	8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch)
tree	61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/imap.c
parent	364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff)
download	curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz