diff options
author | Patrick Monnerat <patrick@monnerat.net> | 2021-09-07 13:26:42 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-09-13 16:51:31 +0200 |
commit | 8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch) | |
tree | 61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/smtp.c | |
parent | 364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff) | |
download | curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz |
ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across TLS negotiation and
used as responses to the encrypted commands.
This fix detects pipelined STARTTLS responses and rejects them with an
error.
CVE-2021-22947
Bug: https://curl.se/docs/CVE-2021-22947.html
Diffstat (limited to 'lib/smtp.c')
-rw-r--r-- | lib/smtp.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/smtp.c b/lib/smtp.c index 20dc85a5f..02ddaca0a 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -834,6 +834,10 @@ static CURLcode smtp_state_starttls_resp(struct Curl_easy *data, CURLcode result = CURLE_OK; (void)instate; /* no use for this yet */ + /* Pipelining in response is forbidden. */ + if(data->conn->proto.smtpc.pp.cache_size) + return CURLE_WEIRD_SERVER_REPLY; + if(smtpcode != 220) { if(data->set.use_ssl != CURLUSESSL_TRY) { failf(data, "STARTTLS denied, code %d", smtpcode); |