From 3ff3989ec53d9ddcf4bdd99f5d5788dd87486768 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 4 Oct 2022 14:37:24 +0200 Subject: [PATCH] netrc: replace fgets with Curl_get_line Upstream-Status: Backport CVE: CVE-2022-35260 Reference to upstream patch: https://github.com/curl/curl/commit/c97ec984fb2bc919a3aa863e0476dffa377b184c Make the parser only accept complete lines and avoid problems with overly long lines. Reported-by: Hiroki Kurosawa Closes #9789 --- lib/curl_get_line.c | 4 ++-- lib/netrc.c | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/lib/curl_get_line.c b/lib/curl_get_line.c index c4194851ae09..4b9eea9e631c 100644 --- a/lib/curl_get_line.c +++ b/lib/curl_get_line.c @@ -28,8 +28,8 @@ #include "memdebug.h" /* - * get_line() makes sure to only return complete whole lines that fit in 'len' - * bytes and end with a newline. + * Curl_get_line() makes sure to only return complete whole lines that fit in + * 'len' bytes and end with a newline. */ char *Curl_get_line(char *buf, int len, FILE *input) { diff --git a/lib/netrc.c b/lib/netrc.c index 1c9da31993c9..93239132c9d8 100644 --- a/lib/netrc.c +++ b/lib/netrc.c @@ -31,6 +31,7 @@ #include "netrc.h" #include "strtok.h" #include "strcase.h" +#include "curl_get_line.h" /* The last 3 #include files should be in this order */ #include "curl_printf.h" @@ -83,7 +84,7 @@ static int parsenetrc(const char *host, char netrcbuffer[4096]; int netrcbuffsize = (int)sizeof(netrcbuffer); - while(!done && fgets(netrcbuffer, netrcbuffsize, file)) { + while(!done && Curl_get_line(netrcbuffer, netrcbuffsize, file)) { tok = strtok_r(netrcbuffer, " \t\n", &tok_buf); if(tok && *tok == '#') /* treat an initial hash as a comment line */ @@ -169,7 +170,7 @@ static int parsenetrc(const char *host, tok = strtok_r(NULL, " \t\n", &tok_buf); } /* while(tok) */ - } /* while fgets() */ + } /* while Curl_get_line() */ out: if(!retcode) { -- 2.34.1