summaryrefslogtreecommitdiffstats
path: root/meta-multimedia/recipes-connectivity
diff options
context:
space:
mode:
authorAndrej Valek <andrej.valek@siemens.com>2016-12-12 12:46:21 +0100
committerMartin Jansa <Martin.Jansa@gmail.com>2016-12-26 08:23:18 +0100
commitb4659368a01a5b4209d9e1e571bb569ef4a06195 (patch)
tree3ee68a7b5f8a823b881f35365e4bda79bfd20cf6 /meta-multimedia/recipes-connectivity
parent42a46903392c85b2b2cc7ed9a8413261f03a8ab4 (diff)
downloadmeta-openembedded-b4659368a01a5b4209d9e1e571bb569ef4a06195.tar.gz
libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)
If there is an invalid URL in URLS->buf after a valid one, uri_parse is called with out pointing after the allocated memory. As uri_parse writes to *out before returning an error the loop in create_url_list must be stopped early to prevent an out-of-bound access Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Diffstat (limited to 'meta-multimedia/recipes-connectivity')
-rw-r--r--meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch57
-rw-r--r--meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb1
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
new file mode 100644
index 000000000..abb4a72a4
--- /dev/null
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
@@ -0,0 +1,57 @@
1libupnp-1.6.19: Fix CVE-2016-8863
2
3[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771
4
5gena_device: Fix out-of-bound access in create_url_list()
6
7If there is an invalid URL in URLS->buf after a valid one, uri_parse is
8called with out pointing after the allocated memory. As uri_parse writes
9to *out before returning an error the loop in create_url_list must be
10stopped early to prevent an out-of-bound access
11
12Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
13CVE: CVE-2016-8863
14Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
15Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
16
17diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
18index 39edc0b..0fd60ad 100644
19--- a/upnp/src/gena/gena_device.c
20+++ b/upnp/src/gena/gena_device.c
21@@ -1133,7 +1133,7 @@ static int create_url_list(
22 /*! [out] . */
23 URL_list *out)
24 {
25- size_t URLcount = 0;
26+ size_t URLcount = 0, URLcount2 = 0;
27 size_t i;
28 int return_code = 0;
29 uri_type temp;
30@@ -1175,16 +1175,23 @@ static int create_url_list(
31 }
32 memcpy( out->URLs, URLS->buff, URLS->size );
33 out->URLs[URLS->size] = 0;
34- URLcount = 0;
35 for( i = 0; i < URLS->size; i++ ) {
36 if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
37 if( ( ( return_code =
38 parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
39- &out->parsedURLs[URLcount] ) ) ==
40+ &out->parsedURLs[URLcount2] ) ) ==
41 HTTP_SUCCESS )
42- && ( out->parsedURLs[URLcount].hostport.text.size !=
43+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
44 0 ) ) {
45- URLcount++;
46+ URLcount2++;
47+ if (URLcount2 >= URLcount)
48+ /*
49+ * break early here in case there is a bogus URL that
50+ * was skipped above. This prevents to access
51+ * out->parsedURLs[URLcount] which is beyond the
52+ * allocation.
53+ */
54+ break;
55 } else {
56 if( return_code == UPNP_E_OUTOF_MEMORY ) {
57 free( out->URLs );
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
index 133a8ebd5..71fc70dd1 100644
--- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863"
11SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \ 11SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
12 file://avoid-redefining-strnlen-and-strndup.patch \ 12 file://avoid-redefining-strnlen-and-strndup.patch \
13 file://sepbuildfix.patch \ 13 file://sepbuildfix.patch \
14 file://CVE-2016-8863.patch \
14" 15"
15 16
16SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd" 17SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"