diff options
Diffstat (limited to 'meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch')
-rw-r--r-- | meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch | 57 |
1 files changed, 0 insertions, 57 deletions
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch deleted file mode 100644 index abb4a72a41..0000000000 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch +++ /dev/null @@ -1,57 +0,0 @@ -libupnp-1.6.19: Fix CVE-2016-8863 - -[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771 - -gena_device: Fix out-of-bound access in create_url_list() - -If there is an invalid URL in URLS->buf after a valid one, uri_parse is -called with out pointing after the allocated memory. As uri_parse writes -to *out before returning an error the loop in create_url_list must be -stopped early to prevent an out-of-bound access - -Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7] -CVE: CVE-2016-8863 -Signed-off-by: Andrej Valek <andrej.valek@siemens.com> -Signed-off-by: Pascal Bach <pascal.bach@siemens.com> - -diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c -index 39edc0b..0fd60ad 100644 ---- a/upnp/src/gena/gena_device.c -+++ b/upnp/src/gena/gena_device.c -@@ -1133,7 +1133,7 @@ static int create_url_list( - /*! [out] . */ - URL_list *out) - { -- size_t URLcount = 0; -+ size_t URLcount = 0, URLcount2 = 0; - size_t i; - int return_code = 0; - uri_type temp; -@@ -1175,16 +1175,23 @@ static int create_url_list( - } - memcpy( out->URLs, URLS->buff, URLS->size ); - out->URLs[URLS->size] = 0; -- URLcount = 0; - for( i = 0; i < URLS->size; i++ ) { - if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) { - if( ( ( return_code = - parse_uri( &out->URLs[i + 1], URLS->size - i + 1, -- &out->parsedURLs[URLcount] ) ) == -+ &out->parsedURLs[URLcount2] ) ) == - HTTP_SUCCESS ) -- && ( out->parsedURLs[URLcount].hostport.text.size != -+ && ( out->parsedURLs[URLcount2].hostport.text.size != - 0 ) ) { -- URLcount++; -+ URLcount2++; -+ if (URLcount2 >= URLcount) -+ /* -+ * break early here in case there is a bogus URL that -+ * was skipped above. This prevents to access -+ * out->parsedURLs[URLcount] which is beyond the -+ * allocation. -+ */ -+ break; - } else { - if( return_code == UPNP_E_OUTOF_MEMORY ) { - free( out->URLs ); |