ftp,imap,pop3,smtp: reject STARTTLS server response pipelining

If a server pipelines future responses within the STARTTLS response, the former are preserved in the pingpong cache across TLS negotiation and used as responses to the encrypted commands. This fix detects pipelined STARTTLS responses and rejects them with an error. CVE-2021-22947 Bug: https://curl.se/docs/CVE-2021-22947.html
author: Patrick Monnerat <patrick@monnerat.net> 2021-09-07 13:26:42 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-09-13 16:51:31 +0200
commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch)
tree: 61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/pop3.c
parent: 364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff)
download: curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/pop3.c b/lib/pop3.c
index a331d71f7..d3f3de6d4 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data,
   CURLcode result = CURLE_OK;
   (void)instate; /* no use for this yet */
 
+  /* Pipelining in response is forbidden. */
+  if(data->conn->proto.pop3c.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
   if(pop3code != '+') {
     if(data->set.use_ssl != CURLUSESSL_TRY) {
       failf(data, "STARTTLS denied");
author	Patrick Monnerat <patrick@monnerat.net>	2021-09-07 13:26:42 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-09-13 16:51:31 +0200
commit	8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch)
tree	61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/pop3.c
parent	364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff)
download	curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz