diff options
author | Patrick Monnerat <patrick@monnerat.net> | 2021-09-07 13:26:42 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2021-09-13 16:51:31 +0200 |
commit | 8ef147c43646e91fdaad5d0e7b60351f842e5c68 (patch) | |
tree | 61bc65da37b6c6e56a161c3ce841d15a4cc8b786 /lib/pop3.c | |
parent | 364f174724ef115c63d5e5dc1d3342c8a43b1cca (diff) | |
download | curl-8ef147c43646e91fdaad5d0e7b60351f842e5c68.tar.gz |
ftp,imap,pop3,smtp: reject STARTTLS server response pipelining
If a server pipelines future responses within the STARTTLS response, the
former are preserved in the pingpong cache across TLS negotiation and
used as responses to the encrypted commands.
This fix detects pipelined STARTTLS responses and rejects them with an
error.
CVE-2021-22947
Bug: https://curl.se/docs/CVE-2021-22947.html
Diffstat (limited to 'lib/pop3.c')
-rw-r--r-- | lib/pop3.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/pop3.c b/lib/pop3.c index a331d71f7..d3f3de6d4 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -771,6 +771,10 @@ static CURLcode pop3_state_starttls_resp(struct Curl_easy *data, CURLcode result = CURLE_OK; (void)instate; /* no use for this yet */ + /* Pipelining in response is forbidden. */ + if(data->conn->proto.pop3c.pp.cache_size) + return CURLE_WEIRD_SERVER_REPLY; + if(pop3code != '+') { if(data->set.use_ssl != CURLUSESSL_TRY) { failf(data, "STARTTLS denied"); |