[oe-commits] [meta-openembedded] 53/62: libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)
git at git.openembedded.org
git at git.openembedded.org
Tue Mar 7 13:29:26 UTC 2017
This is an automated email from the git hooks/post-receive script.
martin_jansa pushed a commit to branch morty-next
in repository meta-openembedded.
commit 56f6f5585de70819fa493d0d803f60799d02fa5c
Author: Andrej Valek <andrej.valek at siemens.com>
AuthorDate: Mon Dec 12 12:46:21 2016 +0100
libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)
If there is an invalid URL in URLS->buf after a valid one, uri_parse is
called with out pointing after the allocated memory. As uri_parse writes
to *out before returning an error the loop in create_url_list must be
stopped early to prevent an out-of-bound access
Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
Signed-off-by: Pascal Bach <pascal.bach at siemens.com>
Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
(cherry picked from commit b4659368a01a5b4209d9e1e571bb569ef4a06195)
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../libupnp/libupnp/CVE-2016-8863.patch | 57 ++++++++++++++++++++++
.../recipes-connectivity/libupnp/libupnp_1.6.19.bb | 1 +
2 files changed, 58 insertions(+)
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
new file mode 100644
index 0000000..abb4a72
--- /dev/null
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
@@ -0,0 +1,57 @@
+libupnp-1.6.19: Fix CVE-2016-8863
+
+[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+
+gena_device: Fix out-of-bound access in create_url_list()
+
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+
+Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
+CVE: CVE-2016-8863
+Signed-off-by: Andrej Valek <andrej.valek at siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach at siemens.com>
+
+diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
+index 39edc0b..0fd60ad 100644
+--- a/upnp/src/gena/gena_device.c
++++ b/upnp/src/gena/gena_device.c
+@@ -1133,7 +1133,7 @@ static int create_url_list(
+ /*! [out] . */
+ URL_list *out)
+ {
+- size_t URLcount = 0;
++ size_t URLcount = 0, URLcount2 = 0;
+ size_t i;
+ int return_code = 0;
+ uri_type temp;
+@@ -1175,16 +1175,23 @@ static int create_url_list(
+ }
+ memcpy( out->URLs, URLS->buff, URLS->size );
+ out->URLs[URLS->size] = 0;
+- URLcount = 0;
+ for( i = 0; i < URLS->size; i++ ) {
+ if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+ if( ( ( return_code =
+ parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+- &out->parsedURLs[URLcount] ) ) ==
++ &out->parsedURLs[URLcount2] ) ) ==
+ HTTP_SUCCESS )
+- && ( out->parsedURLs[URLcount].hostport.text.size !=
++ && ( out->parsedURLs[URLcount2].hostport.text.size !=
+ 0 ) ) {
+- URLcount++;
++ URLcount2++;
++ if (URLcount2 >= URLcount)
++ /*
++ * break early here in case there is a bogus URL that
++ * was skipped above. This prevents to access
++ * out->parsedURLs[URLcount] which is beyond the
++ * allocation.
++ */
++ break;
+ } else {
+ if( return_code == UPNP_E_OUTOF_MEMORY ) {
+ free( out->URLs );
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
index 133a8eb..71fc70d 100644
--- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863"
SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
file://avoid-redefining-strnlen-and-strndup.patch \
file://sepbuildfix.patch \
+ file://CVE-2016-8863.patch \
"
SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list