diff options
-rw-r--r-- | meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch | 98 | ||||
-rw-r--r-- | meta/recipes-support/libproxy/libproxy_0.4.15.bb | 1 |
2 files changed, 99 insertions, 0 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch new file mode 100644 index 0000000000..0ccb99da81 --- /dev/null +++ b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch | |||
@@ -0,0 +1,98 @@ | |||
1 | From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Fei Li <lifeibiren@gmail.com> | ||
3 | Date: Fri, 17 Jul 2020 02:18:37 +0800 | ||
4 | Subject: [PATCH] Fix buffer overflow when PAC is enabled | ||
5 | |||
6 | The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned | ||
7 | out to be the large PAC file (more than 102400 bytes) returned by a | ||
8 | local proxy program with no content-length present. | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8] | ||
11 | CVE: CVE-2020-26154 | ||
12 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
13 | |||
14 | --- | ||
15 | libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++------------- | ||
16 | 1 file changed, 31 insertions(+), 13 deletions(-) | ||
17 | |||
18 | diff --git a/libproxy/url.cpp b/libproxy/url.cpp | ||
19 | index ee776b2..8684086 100644 | ||
20 | --- a/libproxy/url.cpp | ||
21 | +++ b/libproxy/url.cpp | ||
22 | @@ -54,7 +54,7 @@ using namespace std; | ||
23 | #define PAC_MIME_TYPE_FB "text/plain" | ||
24 | |||
25 | // This is the maximum pac size (to avoid memory attacks) | ||
26 | -#define PAC_MAX_SIZE 102400 | ||
27 | +#define PAC_MAX_SIZE 0x800000 | ||
28 | // This is the default block size to use when receiving via HTTP | ||
29 | #define PAC_HTTP_BLOCK_SIZE 512 | ||
30 | |||
31 | @@ -478,15 +478,13 @@ char* url::get_pac() { | ||
32 | } | ||
33 | |||
34 | // Get content | ||
35 | - unsigned int recvd = 0; | ||
36 | - buffer = new char[PAC_MAX_SIZE]; | ||
37 | - memset(buffer, 0, PAC_MAX_SIZE); | ||
38 | + std::vector<char> dynamic_buffer; | ||
39 | do { | ||
40 | unsigned int chunk_length; | ||
41 | |||
42 | if (chunked) { | ||
43 | // Discard the empty line if we received a previous chunk | ||
44 | - if (recvd > 0) recvline(sock); | ||
45 | + if (!dynamic_buffer.empty()) recvline(sock); | ||
46 | |||
47 | // Get the chunk-length line as an integer | ||
48 | if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break; | ||
49 | @@ -498,21 +496,41 @@ char* url::get_pac() { | ||
50 | |||
51 | if (content_length >= PAC_MAX_SIZE) break; | ||
52 | |||
53 | - while (content_length == 0 || recvd != content_length) { | ||
54 | - int r = recv(sock, buffer + recvd, | ||
55 | - content_length == 0 ? PAC_HTTP_BLOCK_SIZE | ||
56 | - : content_length - recvd, 0); | ||
57 | + while (content_length == 0 || dynamic_buffer.size() != content_length) { | ||
58 | + // Calculate length to recv | ||
59 | + unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE; | ||
60 | + if (content_length > 0) | ||
61 | + length_to_read = content_length - dynamic_buffer.size(); | ||
62 | + | ||
63 | + // Prepare buffer | ||
64 | + dynamic_buffer.resize(dynamic_buffer.size() + length_to_read); | ||
65 | + | ||
66 | + int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0); | ||
67 | + | ||
68 | + // Shrink buffer to fit | ||
69 | + if (r >= 0) | ||
70 | + dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r); | ||
71 | + | ||
72 | + // PAC size too large, discard | ||
73 | + if (dynamic_buffer.size() >= PAC_MAX_SIZE) { | ||
74 | + chunked = false; | ||
75 | + dynamic_buffer.clear(); | ||
76 | + break; | ||
77 | + } | ||
78 | + | ||
79 | if (r <= 0) { | ||
80 | chunked = false; | ||
81 | break; | ||
82 | } | ||
83 | - recvd += r; | ||
84 | } | ||
85 | } while (chunked); | ||
86 | |||
87 | - if (content_length != 0 && string(buffer).size() != content_length) { | ||
88 | - delete[] buffer; | ||
89 | - buffer = NULL; | ||
90 | + if (content_length == 0 || content_length == dynamic_buffer.size()) { | ||
91 | + buffer = new char[dynamic_buffer.size() + 1]; | ||
92 | + if (!dynamic_buffer.empty()) { | ||
93 | + memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size()); | ||
94 | + } | ||
95 | + buffer[dynamic_buffer.size()] = '\0'; | ||
96 | } | ||
97 | } | ||
98 | |||
diff --git a/meta/recipes-support/libproxy/libproxy_0.4.15.bb b/meta/recipes-support/libproxy/libproxy_0.4.15.bb index a14c358cc2..6f704d7a91 100644 --- a/meta/recipes-support/libproxy/libproxy_0.4.15.bb +++ b/meta/recipes-support/libproxy/libproxy_0.4.15.bb | |||
@@ -11,6 +11,7 @@ DEPENDS = "glib-2.0" | |||
11 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ | 11 | SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz \ |
12 | file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ | 12 | file://0001-get-pac-test-Fix-build-with-clang-libc.patch \ |
13 | file://CVE-2020-25219.patch \ | 13 | file://CVE-2020-25219.patch \ |
14 | file://CVE-2020-26154.patch \ | ||
14 | " | 15 | " |
15 | SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" | 16 | SRC_URI[md5sum] = "f6b1d2a1e17a99cd3debaae6d04ab152" |
16 | SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" | 17 | SRC_URI[sha256sum] = "654db464120c9534654590b6683c7fa3887b3dad0ca1c4cd412af24fbfca6d4f" |