CVE-2022-32208: When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures...

The vulnerability CVE-2022-32208 concerns incorrect handling of krb5 message verification failures in curl's FTP transfers. The commit 6ecdf5136b52af747e7bda08db9a748256b1cd09 directly addresses this. The function krb5_decode in lib/krb5.c is responsible for calling gss_unwrap to verify the message. The patch shows that the previous logic for handling gss_unwrap failures was flawed: it attempted a strcpy which could be an out-of-bounds write and, more importantly, did not consistently return an error, allowing the vulnerability to manifest. The fix ensures it returns -1 on failure. The read_data function in the same file calls conn->mech->decode (which points to krb5_decode in this context). It was updated to check the return value of the decode function and propagate CURLE_RECV_ERROR if the decode function (i.e., krb5_decode) indicates an error (returns < 0). This makes krb5_decode the primary vulnerable function due to its direct role in message verification and incorrect error handling, and read_data a closely related function that was part of the vulnerable execution flow and required changes for the fix to be effective.