diff options
Diffstat (limited to 'meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch')
-rw-r--r-- | meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch new file mode 100644 index 0000000000..e13917cddb --- /dev/null +++ b/meta/recipes-support/gnutls/gnutls/CVE-2021-20232.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From 75a937d97f4fefc6f9b08e3791f151445f551cb3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daiki Ueno <ueno@gnu.org> | ||
3 | Date: Fri, 29 Jan 2021 14:06:50 +0100 | ||
4 | Subject: [PATCH] pre_shared_key: avoid use-after-free around realloc | ||
5 | |||
6 | Signed-off-by: Daiki Ueno <ueno@gnu.org> | ||
7 | |||
8 | https://gitlab.com/gnutls/gnutls/-/commit/75a937d97f4fefc6f9b08e3791f151445f551cb3 | ||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-CVE-2021-20232 | ||
11 | Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> | ||
12 | --- | ||
13 | lib/ext/pre_shared_key.c | 15 ++++++++++++--- | ||
14 | 1 file changed, 12 insertions(+), 3 deletions(-) | ||
15 | |||
16 | diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c | ||
17 | index a042c6488e..380bf39ed5 100644 | ||
18 | --- a/lib/ext/pre_shared_key.c | ||
19 | +++ b/lib/ext/pre_shared_key.c | ||
20 | @@ -267,7 +267,7 @@ client_send_params(gnutls_session_t session, | ||
21 | size_t spos; | ||
22 | gnutls_datum_t username = {NULL, 0}; | ||
23 | gnutls_datum_t user_key = {NULL, 0}, rkey = {NULL, 0}; | ||
24 | - gnutls_datum_t client_hello; | ||
25 | + unsigned client_hello_len; | ||
26 | unsigned next_idx; | ||
27 | const mac_entry_st *prf_res = NULL; | ||
28 | const mac_entry_st *prf_psk = NULL; | ||
29 | @@ -428,8 +428,7 @@ client_send_params(gnutls_session_t session, | ||
30 | assert(extdata->length >= sizeof(mbuffer_st)); | ||
31 | assert(ext_offset >= (ssize_t)sizeof(mbuffer_st)); | ||
32 | ext_offset -= sizeof(mbuffer_st); | ||
33 | - client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
34 | - client_hello.size = extdata->length-sizeof(mbuffer_st); | ||
35 | + client_hello_len = extdata->length-sizeof(mbuffer_st); | ||
36 | |||
37 | next_idx = 0; | ||
38 | |||
39 | @@ -440,6 +439,11 @@ client_send_params(gnutls_session_t session, | ||
40 | } | ||
41 | |||
42 | if (prf_res && rkey.size > 0) { | ||
43 | + gnutls_datum_t client_hello; | ||
44 | + | ||
45 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
46 | + client_hello.size = client_hello_len; | ||
47 | + | ||
48 | ret = compute_psk_binder(session, prf_res, | ||
49 | binders_len, binders_pos, | ||
50 | ext_offset, &rkey, &client_hello, 1, | ||
51 | @@ -474,6 +478,11 @@ client_send_params(gnutls_session_t session, | ||
52 | } | ||
53 | |||
54 | if (prf_psk && user_key.size > 0 && info) { | ||
55 | + gnutls_datum_t client_hello; | ||
56 | + | ||
57 | + client_hello.data = extdata->data+sizeof(mbuffer_st); | ||
58 | + client_hello.size = client_hello_len; | ||
59 | + | ||
60 | ret = compute_psk_binder(session, prf_psk, | ||
61 | binders_len, binders_pos, | ||
62 | ext_offset, &user_key, &client_hello, 0, | ||
63 | -- | ||
64 | GitLab | ||
65 | |||