From 8b24c4f7d8a9debbf3d466ccd155bc8d484f2780 Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Tue, 13 Jun 2023 12:08:13 +0200
Subject: [PATCH] Fix CVE-2021-22947

Merge: curl/curl@8ef147c43646e91
---
 r5dev/thirdparty/curl/ftp.c  | 3 +++
 r5dev/thirdparty/curl/imap.c | 4 ++++
 r5dev/thirdparty/curl/pop3.c | 4 ++++
 r5dev/thirdparty/curl/smtp.c | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/r5dev/thirdparty/curl/ftp.c b/r5dev/thirdparty/curl/ftp.c
index 84f9db90..bd841277 100644
--- a/r5dev/thirdparty/curl/ftp.c
+++ b/r5dev/thirdparty/curl/ftp.c
@@ -2731,6 +2731,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
     case FTP_AUTH:
       /* we have gotten the response to a previous AUTH command */
 
+      if(pp->cache_size)
+        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
+
       /* RFC2228 (page 5) says:
        *
        * If the server is willing to accept the named security mechanism,
diff --git a/r5dev/thirdparty/curl/imap.c b/r5dev/thirdparty/curl/imap.c
index 8259e1ce..535eaf98 100644
--- a/r5dev/thirdparty/curl/imap.c
+++ b/r5dev/thirdparty/curl/imap.c
@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
 
   (void)instate; /* no use for this yet */
 
+  /* Pipelining in response is forbidden. */
+  if(conn->proto.imapc.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
   if(imapcode != 'O') {
     if(data->set.use_ssl != CURLUSESSL_TRY) {
       failf(data, "STARTTLS denied");
diff --git a/r5dev/thirdparty/curl/pop3.c b/r5dev/thirdparty/curl/pop3.c
index 7c6c5999..ba5bc045 100644
--- a/r5dev/thirdparty/curl/pop3.c
+++ b/r5dev/thirdparty/curl/pop3.c
@@ -793,6 +793,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
 
   (void)instate; /* no use for this yet */
 
+  /* Pipelining in response is forbidden. */
+  if(conn->proto.pop3c.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
   if(pop3code != '+') {
     if(data->set.use_ssl != CURLUSESSL_TRY) {
       failf(data, "STARTTLS denied");
diff --git a/r5dev/thirdparty/curl/smtp.c b/r5dev/thirdparty/curl/smtp.c
index b2bbc878..b6f0e988 100644
--- a/r5dev/thirdparty/curl/smtp.c
+++ b/r5dev/thirdparty/curl/smtp.c
@@ -695,6 +695,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
 
   (void)instate; /* no use for this yet */
 
+  /* Pipelining in response is forbidden. */
+  if(conn->proto.smtpc.pp.cache_size)
+    return CURLE_WEIRD_SERVER_REPLY;
+
   if(smtpcode != 220) {
     if(data->set.use_ssl != CURLUSESSL_TRY) {
       failf(data, "STARTTLS denied, code %d", smtpcode);