diff options
Diffstat (limited to 'meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch new file mode 100644 index 0000000000..6fe7a21e33 --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20231.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From 15beb4b193b2714d88107e7dffca781798684e7e Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 29 Jan 2021 14:06:32 +0100 | ||
4 | Subject: [PATCH] key_share: avoid use-after-free around realloc | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | |||
8 | https://gitlab.com/gnutls/gnutls/-/commit/15beb4b193b2714d88107e7dffca781798684e7e | ||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-CVE-2021-20231 | ||
11 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
12 | --- | ||
13 | lib/ext/key_share.c | 12 +++++------- | ||
14 | 1 file changed, 5 insertions(+), 7 deletions(-) | ||
15 | |||
16 | diff --git a/lib/ext/key_share.c b/lib/ext/key_share.c | ||
17 | index ab8abf8fe6..a8c4bb5cff 100644 | ||
18 | --- a/lib/ext/key_share.c | ||
19 | +++ b/lib/ext/key_share.c | ||
20 | @@ -664,14 +664,14 @@ key_share_send_params(gnutls_session_t session, | ||
21 | { | ||
22 | unsigned i; | ||
23 | int ret; | ||
24 | - unsigned char *lengthp; | ||
25 | - unsigned int cur_length; | ||
26 | unsigned int generated = 0; | ||
27 | const gnutls_group_entry_st *group; | ||
28 | const version_entry_st *ver; | ||
29 | |||
30 | /* this extension is only being sent on client side */ | ||
31 | if (session->security_parameters.entity == GNUTLS_CLIENT) { | ||
32 | + unsigned int length_pos; | ||
33 | + | ||
34 | ver = _gnutls_version_max(session); | ||
35 | if (unlikely(ver == NULL || ver->key_shares == 0)) | ||
36 | return 0; | ||
37 | @@ -679,16 +679,13 @@ key_share_send_params(gnutls_session_t session, | ||
38 | if (!have_creds_for_tls13(session)) | ||
39 | return 0; | ||
40 | |||
41 | - /* write the total length later */ | ||
42 | - lengthp = &extdata->data[extdata->length]; | ||
43 | + length_pos = extdata->length; | ||
44 | |||
45 | ret = | ||
46 | _gnutls_buffer_append_prefix(extdata, 16, 0); | ||
47 | if (ret < 0) | ||
48 | return gnutls_assert_val(ret); | ||
49 | |||
50 | - cur_length = extdata->length; | ||
51 | - | ||
52 | if (session->internals.hsk_flags & HSK_HRR_RECEIVED) { /* we know the group */ | ||
53 | group = get_group(session); | ||
54 | if (unlikely(group == NULL)) | ||
55 | @@ -736,7 +733,8 @@ key_share_send_params(gnutls_session_t session, | ||
56 | } | ||
57 | |||
58 | /* copy actual length */ | ||
59 | - _gnutls_write_uint16(extdata->length - cur_length, lengthp); | ||
60 | + _gnutls_write_uint16(extdata->length - length_pos - 2, | ||
61 | + &extdata->data[length_pos]); | ||
62 | |||
63 | } else { /* server */ | ||
64 | ver = get_version(session); | ||
65 | -- | ||
66 | GitLab | ||
67 | |||