From 36048e8fef019c5be938f8a688845b6eef1d46ab Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Fri, 16 Jul 2021 10:54:08 +0300
Subject: libfetch: fix range checking for http/ftp protocol parsing

Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>
---
 libfetch/common.h | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'libfetch/common.h')

diff --git a/libfetch/common.h b/libfetch/common.h
index dd5c14c..2c16bf7 100644
--- a/libfetch/common.h
+++ b/libfetch/common.h
@@ -38,6 +38,8 @@
 #define FTP_DEFAULT_PROXY_PORT	21
 #define HTTP_DEFAULT_PROXY_PORT	3128
 
+#include <sys/types.h>
+#include <limits.h>
 #include "openssl-compat.h"
 
 #if defined(__GNUC__) && __GNUC__ >= 3
@@ -53,6 +55,14 @@
 #define HAVE_SA_LEN
 #endif
 
+#ifndef IPPORT_MAX
+# define IPPORT_MAX 65535
+#endif
+
+#ifndef OFF_MAX
+# define OFF_MAX (((((off_t)1 << (sizeof(off_t) * CHAR_BIT - 2)) - 1) << 1) + 1)
+#endif
+
 /* Connection */
 typedef struct fetchconn conn_t;
 
@@ -86,6 +96,7 @@ struct fetcherr {
 void		 fetch_seterr(struct fetcherr *, int);
 void		 fetch_syserr(void);
 void		 fetch_info(const char *, ...)  LIBFETCH_PRINTFLIKE(1, 2);
+uintmax_t	 fetch_parseuint(const char *p, const char **endptr, int radix, uintmax_t max);
 int		 fetch_default_port(const char *);
 int		 fetch_default_proxy_port(const char *);
 int		 fetch_bind(int, int, const char *);
@@ -125,7 +136,6 @@ fetchIO		*http_request(struct url *, const char *,
 fetchIO		*ftp_request(struct url *, const char *, const char *,
 		     struct url_stat *, struct url *, const char *);
 
-
 /*
  * Check whether a particular flag is set
  */
-- 
cgit v1.2.3-60-g2f50