diff options
author | Chee Yang Lee <chee.yang.lee@intel.com> | 2022-09-13 11:47:37 +0800 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2022-09-13 05:35:33 -1000 |
commit | 380b6fb2583f875aad0cb28c91b1531e63eb2eeb (patch) | |
tree | da4e14db5f4abec2f94ced6f5ab62c719207b13a | |
parent | 8414d39f3f89cc1176bd55c9455ad942db8ea4b1 (diff) | |
download | openembedded-core-contrib-380b6fb2583f875aad0cb28c91b1531e63eb2eeb.tar.gz |
connman: fix CVE-2022-32292
Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch | 37 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman_1.37.bb | 1 |
2 files changed, 38 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch @@ -0,0 +1,37 @@ +From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 +From: Nathan Crandall <ncrandall@tesla.com> +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 + +Upstream-Status: Backport +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b +CVE: CVE-2022-32292 +Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8..13c6c5f2 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..4f22c7ad49 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb @@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2021-33833.patch \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ + file://CVE-2022-32292.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" |