mirror of
https://git.yoctoproject.org/poky
synced 2026-06-03 01:40:07 +00:00
ppp: fix CVE-2022-4603
<CVE-2022-4603> Avoid out-of-range access to packet buffer Upstream-Status: Backport[https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf] (From OE-Core rev: 7f33a49f7aaae67288389eacbe8b13318694e07c) Signed-off-by:Minjae Kim <flowergom@gmail.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Minjae Kim
committed by
Richard Purdie
Richard Purdie
parent
d3a522d857
commit
2f3d5da3b0
@@ -0,0 +1,50 @@
|
|||||||
|
From 2aeb41a9a3a43b11b1e46628d0bf98197ff9f141 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Paul Mackerras <paulus@ozlabs.org>
|
||||||
|
Date: Thu, 29 Dec 2022 18:00:20 +0100
|
||||||
|
Subject: [PATCH] pppdump: Avoid out-of-range access to packet buffer
|
||||||
|
|
||||||
|
This fixes a potential vulnerability where data is written to spkt.buf
|
||||||
|
and rpkt.buf without a check on the array index. To fix this, we
|
||||||
|
check the array index (pkt->cnt) before storing the byte or
|
||||||
|
incrementing the count. This also means we no longer have a potential
|
||||||
|
signed integer overflow on the increment of pkt->cnt.
|
||||||
|
|
||||||
|
Fortunately, pppdump is not used in the normal process of setting up a
|
||||||
|
PPP connection, is not installed setuid-root, and is not invoked
|
||||||
|
automatically in any scenario that I am aware of.
|
||||||
|
|
||||||
|
Ustream-Status: Backport [https://github.com/ppp-project/ppp/commit/a75fb7b198eed50d769c80c36629f38346882cbf]
|
||||||
|
CVE: CVE-2022-4603
|
||||||
|
Signed-off-by:Minjae Kim <flowergom@gmail.com>
|
||||||
|
---
|
||||||
|
pppdump/pppdump.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/pppdump/pppdump.c b/pppdump/pppdump.c
|
||||||
|
index 87c2e8f..dec4def 100644
|
||||||
|
--- a/pppdump/pppdump.c
|
||||||
|
+++ b/pppdump/pppdump.c
|
||||||
|
@@ -296,6 +296,10 @@ dumpppp(f)
|
||||||
|
printf("%s aborted packet:\n ", dir);
|
||||||
|
q = " ";
|
||||||
|
}
|
||||||
|
+ if (pkt->cnt >= sizeof(pkt->buf)) {
|
||||||
|
+ printf("%s over-long packet truncated:\n ", dir);
|
||||||
|
+ q = " ";
|
||||||
|
+ }
|
||||||
|
nb = pkt->cnt;
|
||||||
|
p = pkt->buf;
|
||||||
|
pkt->cnt = 0;
|
||||||
|
@@ -399,7 +403,8 @@ dumpppp(f)
|
||||||
|
c ^= 0x20;
|
||||||
|
pkt->esc = 0;
|
||||||
|
}
|
||||||
|
- pkt->buf[pkt->cnt++] = c;
|
||||||
|
+ if (pkt->cnt < sizeof(pkt->buf))
|
||||||
|
+ pkt->buf[pkt->cnt++] = c;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
@@ -34,6 +34,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/${BP}.tar.gz \
|
|||||||
file://0001-ppp-Remove-unneeded-include.patch \
|
file://0001-ppp-Remove-unneeded-include.patch \
|
||||||
file://ppp-2.4.7-DES-openssl.patch \
|
file://ppp-2.4.7-DES-openssl.patch \
|
||||||
file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
|
file://0001-pppd-Fix-bounds-check-in-EAP-code.patch \
|
||||||
|
file://CVE-2022-4603.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI_append_libc-musl = "\
|
SRC_URI_append_libc-musl = "\
|
||||||
|
|||||||
Reference in New Issue
Block a user