guix/gnu/packages/patches/connman-CVE-2022-32292.patch
Efraim Flashner f9ada7fdc4
gnu: connman: Patch CVE-2022-32392, CVE-2022-32293.
* gnu/packages/connman.scm (connman)[source]: Add patches.
* gnu/packages/patches/connman-CVE-2022-32292.patch,
gnu/packages/patches/connman-CVE-2022-32293-pt1.patch,
gnu/packages/patches/connman-CVE-2022-32293-pt1.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
2022-09-19 11:19:49 +03:00

34 lines
1.1 KiB
Diff

https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd
From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
From: Nathan Crandall <ncrandall@tesla.com>
Date: Tue, 12 Jul 2022 08:56:34 +0200
Subject: gweb: Fix OOB write in received_data()
There is a mismatch of handling binary vs. C-string data with memchr
and strlen, resulting in pos, count, and bytes_read to become out of
sync and result in a heap overflow. Instead, do not treat the buffer
as an ASCII C-string. We calculate the count based on the return value
of memchr, instead of strlen.
Fixes: CVE-2022-32292
---
gweb/gweb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/gweb/gweb.c b/gweb/gweb.c
index 12fcb1d8..13c6c5f2 100644
--- a/gweb/gweb.c
+++ b/gweb/gweb.c
@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
}
*pos = '\0';
- count = strlen((char *) ptr);
+ count = pos - ptr;
if (count > 0 && ptr[count - 1] == '\r') {
ptr[--count] = '\0';
bytes_read--;
--
cgit