From 782a5e8e5b0271f8cb33eeef6a3819b0149093e0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 May 2022 23:13:53 +0200 Subject: [PATCH] url: check SSH config match on connection reuse CVE-2022-27782 Reported-by: Harry Sintonen Bug: https://curl.se/docs/CVE-2022-27782.html Closes #8825 Upstream-Status: Backport [https://github.com/curl/curl/commit/1645e9b44505abd5cbaf65da5282c3f33b5924a5] Signed-off-by: Robert Joslyn --- lib/url.c | 11 +++++++++++ lib/vssh/ssh.h | 6 +++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/url.c b/lib/url.c index 5ebf5e2..c713e54 100644 --- a/lib/url.c +++ b/lib/url.c @@ -1098,6 +1098,12 @@ static void prune_dead_connections(struct Curl_easy *data) } } +static bool ssh_config_matches(struct connectdata *one, + struct connectdata *two) +{ + return (Curl_safecmp(one->proto.sshc.rsa, two->proto.sshc.rsa) && + Curl_safecmp(one->proto.sshc.rsa_pub, two->proto.sshc.rsa_pub)); +} /* * Given one filled in connection struct (named needle), this function should * detect if there already is one that has all the significant details @@ -1356,6 +1362,11 @@ ConnectionExists(struct Curl_easy *data, (data->state.httpwant < CURL_HTTP_VERSION_2_0)) continue; + if(get_protocol_family(needle->handler) == PROTO_FAMILY_SSH) { + if(!ssh_config_matches(needle, check)) + continue; + } + if((needle->handler->flags&PROTOPT_SSL) #ifndef CURL_DISABLE_PROXY || !needle->bits.httpproxy || needle->bits.tunnel_proxy diff --git a/lib/vssh/ssh.h b/lib/vssh/ssh.h index 7972081..30d82e5 100644 --- a/lib/vssh/ssh.h +++ b/lib/vssh/ssh.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2022, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -131,8 +131,8 @@ struct ssh_conn { /* common */ const char *passphrase; /* pass-phrase to use */ - char *rsa_pub; /* path name */ - char *rsa; /* path name */ + char *rsa_pub; /* strdup'ed public key file */ + char *rsa; /* strdup'ed private key file */ bool authed; /* the connection has been authenticated fine */ bool acceptfail; /* used by the SFTP_QUOTE (continue if quote command fails) */