mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)
If there is an invalid URL in URLS->buf after a valid one, uri_parse is
called with out pointing after the allocated memory. As uri_parse writes
to *out before returning an error the loop in create_url_list must be
stopped early to prevent an out-of-bound access
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
(cherry picked from commit b4659368a0)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
b53fe10e02
commit
56f6f5585d
@@ -0,0 +1,57 @@
|
|||||||
|
libupnp-1.6.19: Fix CVE-2016-8863
|
||||||
|
|
||||||
|
[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771
|
||||||
|
|
||||||
|
gena_device: Fix out-of-bound access in create_url_list()
|
||||||
|
|
||||||
|
If there is an invalid URL in URLS->buf after a valid one, uri_parse is
|
||||||
|
called with out pointing after the allocated memory. As uri_parse writes
|
||||||
|
to *out before returning an error the loop in create_url_list must be
|
||||||
|
stopped early to prevent an out-of-bound access
|
||||||
|
|
||||||
|
Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
|
||||||
|
CVE: CVE-2016-8863
|
||||||
|
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
|
||||||
|
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
|
||||||
|
|
||||||
|
diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
|
||||||
|
index 39edc0b..0fd60ad 100644
|
||||||
|
--- a/upnp/src/gena/gena_device.c
|
||||||
|
+++ b/upnp/src/gena/gena_device.c
|
||||||
|
@@ -1133,7 +1133,7 @@ static int create_url_list(
|
||||||
|
/*! [out] . */
|
||||||
|
URL_list *out)
|
||||||
|
{
|
||||||
|
- size_t URLcount = 0;
|
||||||
|
+ size_t URLcount = 0, URLcount2 = 0;
|
||||||
|
size_t i;
|
||||||
|
int return_code = 0;
|
||||||
|
uri_type temp;
|
||||||
|
@@ -1175,16 +1175,23 @@ static int create_url_list(
|
||||||
|
}
|
||||||
|
memcpy( out->URLs, URLS->buff, URLS->size );
|
||||||
|
out->URLs[URLS->size] = 0;
|
||||||
|
- URLcount = 0;
|
||||||
|
for( i = 0; i < URLS->size; i++ ) {
|
||||||
|
if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
|
||||||
|
if( ( ( return_code =
|
||||||
|
parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
|
||||||
|
- &out->parsedURLs[URLcount] ) ) ==
|
||||||
|
+ &out->parsedURLs[URLcount2] ) ) ==
|
||||||
|
HTTP_SUCCESS )
|
||||||
|
- && ( out->parsedURLs[URLcount].hostport.text.size !=
|
||||||
|
+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
|
||||||
|
0 ) ) {
|
||||||
|
- URLcount++;
|
||||||
|
+ URLcount2++;
|
||||||
|
+ if (URLcount2 >= URLcount)
|
||||||
|
+ /*
|
||||||
|
+ * break early here in case there is a bogus URL that
|
||||||
|
+ * was skipped above. This prevents to access
|
||||||
|
+ * out->parsedURLs[URLcount] which is beyond the
|
||||||
|
+ * allocation.
|
||||||
|
+ */
|
||||||
|
+ break;
|
||||||
|
} else {
|
||||||
|
if( return_code == UPNP_E_OUTOF_MEMORY ) {
|
||||||
|
free( out->URLs );
|
||||||
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863"
|
|||||||
SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
|
SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
|
||||||
file://avoid-redefining-strnlen-and-strndup.patch \
|
file://avoid-redefining-strnlen-and-strndup.patch \
|
||||||
file://sepbuildfix.patch \
|
file://sepbuildfix.patch \
|
||||||
|
file://CVE-2016-8863.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"
|
SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"
|
||||||
|
|||||||
Reference in New Issue
Block a user