mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-12 03:24:08 +00:00
libiec61850: patch CVE-2024-45970
Details https://nvd.nist.gov/vuln/detail/CVE-2024-45970 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Ankur Tyagi
committed by
Gyorgy Sarvari
Gyorgy Sarvari
parent
a52bccdbc0
commit
2b5cc0933f
@@ -0,0 +1,73 @@
|
||||
From 3238485703baf62a66da6c9dae63eb648c230b8c Mon Sep 17 00:00:00 2001
|
||||
From: Michael Zillgith <michael.zillgith@mz-automation.de>
|
||||
Date: Tue, 23 Jul 2024 18:50:15 +0100
|
||||
Subject: [PATCH] LIB61850-449: fixed potential buffer overflows in MMS client
|
||||
file service handling
|
||||
|
||||
CVE: CVE-2024-45970
|
||||
Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc]
|
||||
|
||||
(cherry picked from commit ac925fae8e281ac6defcd630e9dd756264e9c5bc)
|
||||
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||
---
|
||||
src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++----
|
||||
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
|
||||
index 4fca418e..935ba1a4 100644
|
||||
--- a/src/mms/iso_mms/client/mms_client_files.c
|
||||
+++ b/src/mms/iso_mms/client/mms_client_files.c
|
||||
@@ -487,8 +487,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
|
||||
break;
|
||||
case 0x81: /* lastModified */
|
||||
{
|
||||
- if (lastModified != NULL) {
|
||||
+ if (lastModified != NULL)
|
||||
+ {
|
||||
char gtString[40];
|
||||
+
|
||||
+ if (length > sizeof(gtString) - 1)
|
||||
+ return false; /* lastModified string too long */
|
||||
+
|
||||
memcpy(gtString, buffer + bufPos, length);
|
||||
gtString[length] = 0;
|
||||
*lastModified = Conversions_generalizedTimeToMsTime(gtString);
|
||||
@@ -515,12 +520,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
|
||||
uint32_t fileSize = 0;
|
||||
uint64_t lastModified = 0;
|
||||
|
||||
- while (bufPos < maxBufPos) {
|
||||
+ while (bufPos < maxBufPos)
|
||||
+ {
|
||||
uint8_t tag = buffer[bufPos++];
|
||||
int length;
|
||||
|
||||
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
|
||||
- if (bufPos < 0) {
|
||||
+ if (bufPos < 0)
|
||||
+ {
|
||||
if (DEBUG_MMS_CLIENT)
|
||||
printf("MMS_CLIENT: invalid length field\n");
|
||||
return false;
|
||||
@@ -534,12 +541,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
|
||||
tag = buffer[bufPos++];
|
||||
|
||||
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
|
||||
- if (bufPos < 0) {
|
||||
+ if (bufPos < 0)
|
||||
+ {
|
||||
if (DEBUG_MMS_CLIENT)
|
||||
printf("MMS_CLIENT: invalid length field\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
+ if (length > (sizeof(fileNameMemory) - 1))
|
||||
+ {
|
||||
+ if (DEBUG_MMS_CLIENT)
|
||||
+ printf("MMS_CLIENT: filename too long\n");
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
memcpy(filename, buffer + bufPos, length);
|
||||
filename[length] = 0;
|
||||
|
||||
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https
|
||||
file://0002-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \
|
||||
file://0003-LIB61850-430-fixed-null-pointer-dereference-in-mmsSe.patch \
|
||||
file://0004-LIB61850-447-replaced-unsafe-function-StringUtils_cr.patch \
|
||||
file://0005-LIB61850-449-fixed-potential-buffer-overflows-in-MMS.patch \
|
||||
"
|
||||
|
||||
S = "${WORKDIR}/git"
|
||||
|
||||
Reference in New Issue
Block a user