open62541: patch CVE-2024-53429

Details: https://nvd.nist.gov/vuln/detail/CVE-2024-53429

Backport the patch mentioned in the comment[1] which fixed this CVE.

[1] https://github.com/open62541/open62541/issues/6825#issuecomment-2460650733

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>

meta-networking/recipes-protocols/opcua/open62541/CVE-2024-53429.patch

@@ -0,0 +1,44 @@
+From c69c42bb55f66e1721367dc9c98d0b4a63b14c25 Mon Sep 17 00:00:00 2001
+From: Julius Pfrommer <julius.pfrommer@web.de>
+Date: Tue, 22 Oct 2024 21:47:15 +0200
+Subject: [PATCH] refactor(core): Validate Variant ArrayLength against its
+ ArrayDimensions during binary decode
+
+This lead to the fuzzer complaing since we hade the check for _encode
+but not for _decode. This is not a direct memory issue per se. But the
+consistency check allows early discovery of problematic values and
+can potentially remove bugs where the user relies on the array
+dimensions and the array length to match.
+
+CVE: CVE-2024-53429
+Upstream-Status: Backport [https://github.com/open62541/open62541/commit/b9473527623125b5ca264dae4551f8cc414b3bc3]
+(cherry picked from commit b9473527623125b5ca264dae4551f8cc414b3bc3)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/ua_types_encoding_binary.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/ua_types_encoding_binary.c b/src/ua_types_encoding_binary.c
+index 7b3a4f6b8..0272ba399 100644
+--- a/src/ua_types_encoding_binary.c
++++ b/src/ua_types_encoding_binary.c
+@@ -1093,9 +1093,18 @@ DECODE_BINARY(Variant) {
+     }
+ 
+     /* Decode array dimensions */
+-    if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0)
++    if(isArray && (encodingByte & (u8)UA_VARIANT_ENCODINGMASKTYPE_DIMENSIONS) > 0) {
+         ret |= Array_decodeBinary((void**)&dst->arrayDimensions, &dst->arrayDimensionsSize,
+                                   &UA_TYPES[UA_TYPES_INT32], ctx);
++        /* Validate array length against array dimensions */
++        size_t totalSize = 1;
++        for(size_t i = 0; i < dst->arrayDimensionsSize; ++i) {
++            if(dst->arrayDimensions[i] == 0)
++                return UA_STATUSCODE_BADDECODINGERROR;
++            totalSize *= dst->arrayDimensions[i];
++        }
++        UA_CHECK(totalSize == dst->arrayLength, ret = UA_STATUSCODE_BADDECODINGERROR);
++    }
+ 
+     ctx->depth--;
+     return ret;

meta-networking/recipes-protocols/opcua/open62541_1.3.8.bb

@@ -19,6 +19,7 @@ SRC_URI = " \
     git://github.com/OPCFoundation/UA-Nodeset;name=ua-nodeset;protocol=https;branch=v1.04;destsuffix=git/deps/ua-nodeset \
     git://github.com/LiamBindle/MQTT-C.git;name=mqtt-c;protocol=https;branch=master;destsuffix=git/deps/mqtt-c \
     file://0001-fix-build-do-not-install-git-files.patch \
+    file://CVE-2024-53429.patch \
 "
 
 S = "${WORKDIR}/git"