mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 04:17:25 +00:00
libiec61850: patch CVE-2024-45970
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45970 Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
@@ -0,0 +1,71 @@
|
|||||||
|
From 554e77c542f1c09b689907d5e2ea8bff4b2ad969 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Zillgith <michael.zillgith@mz-automation.de>
|
||||||
|
Date: Tue, 23 Jul 2024 18:50:15 +0100
|
||||||
|
Subject: [PATCH] - fixed potential buffer overflows in MMS client file service
|
||||||
|
handling (LIB61850-449)
|
||||||
|
|
||||||
|
CVE: CVE-2024-45970
|
||||||
|
Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++----
|
||||||
|
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
|
||||||
|
index 307ab534..1aa8dff2 100644
|
||||||
|
--- a/src/mms/iso_mms/client/mms_client_files.c
|
||||||
|
+++ b/src/mms/iso_mms/client/mms_client_files.c
|
||||||
|
@@ -478,8 +478,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
|
||||||
|
break;
|
||||||
|
case 0x81: /* lastModified */
|
||||||
|
{
|
||||||
|
- if (lastModified != NULL) {
|
||||||
|
+ if (lastModified != NULL)
|
||||||
|
+ {
|
||||||
|
char gtString[40];
|
||||||
|
+
|
||||||
|
+ if (length > sizeof(gtString) - 1)
|
||||||
|
+ return false; /* lastModified string too long */
|
||||||
|
+
|
||||||
|
memcpy(gtString, buffer + bufPos, length);
|
||||||
|
gtString[length] = 0;
|
||||||
|
*lastModified = Conversions_generalizedTimeToMsTime(gtString);
|
||||||
|
@@ -506,12 +511,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
|
||||||
|
uint32_t fileSize = 0;
|
||||||
|
uint64_t lastModified = 0;
|
||||||
|
|
||||||
|
- while (bufPos < maxBufPos) {
|
||||||
|
+ while (bufPos < maxBufPos)
|
||||||
|
+ {
|
||||||
|
uint8_t tag = buffer[bufPos++];
|
||||||
|
int length;
|
||||||
|
|
||||||
|
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
|
||||||
|
- if (bufPos < 0) {
|
||||||
|
+ if (bufPos < 0)
|
||||||
|
+ {
|
||||||
|
if (DEBUG_MMS_CLIENT)
|
||||||
|
printf("MMS_CLIENT: invalid length field\n");
|
||||||
|
return false;
|
||||||
|
@@ -525,12 +532,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
|
||||||
|
tag = buffer[bufPos++];
|
||||||
|
|
||||||
|
bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
|
||||||
|
- if (bufPos < 0) {
|
||||||
|
+ if (bufPos < 0)
|
||||||
|
+ {
|
||||||
|
if (DEBUG_MMS_CLIENT)
|
||||||
|
printf("MMS_CLIENT: invalid length field\n");
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (length > (sizeof(fileNameMemory) - 1))
|
||||||
|
+ {
|
||||||
|
+ if (DEBUG_MMS_CLIENT)
|
||||||
|
+ printf("MMS_CLIENT: filename too long\n");
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
memcpy(filename, buffer + bufPos, length);
|
||||||
|
filename[length] = 0;
|
||||||
|
|
||||||
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https
|
|||||||
file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \
|
file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \
|
||||||
file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \
|
file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \
|
||||||
file://CVE-2024-45969.patch \
|
file://CVE-2024-45969.patch \
|
||||||
|
file://CVE-2024-45970.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
S = "${WORKDIR}/git"
|
S = "${WORKDIR}/git"
|
||||||
|
|||||||
Reference in New Issue
Block a user