diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2016-12-12 12:46:21 +0100 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2016-12-26 08:23:18 +0100 |
commit | b4659368a01a5b4209d9e1e571bb569ef4a06195 (patch) | |
tree | 3ee68a7b5f8a823b881f35365e4bda79bfd20cf6 /meta-multimedia | |
parent | 42a46903392c85b2b2cc7ed9a8413261f03a8ab4 (diff) | |
download | meta-openembedded-contrib-b4659368a01a5b4209d9e1e571bb569ef4a06195.tar.gz |
libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)
If there is an invalid URL in URLS->buf after a valid one, uri_parse is
called with out pointing after the allocated memory. As uri_parse writes
to *out before returning an error the loop in create_url_list must be
stopped early to prevent an out-of-bound access
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-multimedia')
-rw-r--r-- | meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch | 57 | ||||
-rw-r--r-- | meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb | 1 |
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch new file mode 100644 index 0000000000..abb4a72a41 --- /dev/null +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch @@ -0,0 +1,57 @@ +libupnp-1.6.19: Fix CVE-2016-8863 + +[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771 + +gena_device: Fix out-of-bound access in create_url_list() + +If there is an invalid URL in URLS->buf after a valid one, uri_parse is +called with out pointing after the allocated memory. As uri_parse writes +to *out before returning an error the loop in create_url_list must be +stopped early to prevent an out-of-bound access + +Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7] +CVE: CVE-2016-8863 +Signed-off-by: Andrej Valek <andrej.valek@siemens.com> +Signed-off-by: Pascal Bach <pascal.bach@siemens.com> + +diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c +index 39edc0b..0fd60ad 100644 +--- a/upnp/src/gena/gena_device.c ++++ b/upnp/src/gena/gena_device.c +@@ -1133,7 +1133,7 @@ static int create_url_list( + /*! [out] . */ + URL_list *out) + { +- size_t URLcount = 0; ++ size_t URLcount = 0, URLcount2 = 0; + size_t i; + int return_code = 0; + uri_type temp; +@@ -1175,16 +1175,23 @@ static int create_url_list( + } + memcpy( out->URLs, URLS->buff, URLS->size ); + out->URLs[URLS->size] = 0; +- URLcount = 0; + for( i = 0; i < URLS->size; i++ ) { + if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { + if( ( ( return_code = + parse_uri( &out->URLs[i + 1], URLS->size - i + 1, +- &out->parsedURLs[URLcount] ) ) == ++ &out->parsedURLs[URLcount2] ) ) == + HTTP_SUCCESS ) +- && ( out->parsedURLs[URLcount].hostport.text.size != ++ && ( out->parsedURLs[URLcount2].hostport.text.size != + 0 ) ) { +- URLcount++; ++ URLcount2++; ++ if (URLcount2 >= URLcount) ++ /* ++ * break early here in case there is a bogus URL that ++ * was skipped above. This prevents to access ++ * out->parsedURLs[URLcount] which is beyond the ++ * allocation. ++ */ ++ break; + } else { + if( return_code == UPNP_E_OUTOF_MEMORY ) { + free( out->URLs ); diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb index 133a8ebd53..71fc70dd19 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb @@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863" SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \ file://avoid-redefining-strnlen-and-strndup.patch \ file://sepbuildfix.patch \ + file://CVE-2016-8863.patch \ " SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd" |