1 files changed, 0 insertions, 98 deletions
diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
deleted file mode 100644
index 0ccb99da81..0000000000
--- a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch
+++ /dev/null
@@ -1,98 +0,0 @@
-From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
-From: Fei Li <lifeibiren@gmail.com>
-Date: Fri, 17 Jul 2020 02:18:37 +0800
-Subject: [PATCH] Fix buffer overflow when PAC is enabled
-The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
-out to be the large PAC file (more than 102400 bytes) returned by a
-local proxy program with no content-length present.
-Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
-CVE: CVE-2020-26154
-Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
- libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
- 1 file changed, 31 insertions(+), 13 deletions(-)
-diff --git a/libproxy/url.cpp b/libproxy/url.cpp
-index ee776b2..8684086 100644
--- a/libproxy/url.cpp
-+++ b/libproxy/url.cpp
-@@ -54,7 +54,7 @@ using namespace std;
- #define PAC_MIME_TYPE_FB "text/plain"
- 
- // This is the maximum pac size (to avoid memory attacks)
-#define PAC_MAX_SIZE 102400
-+#define PAC_MAX_SIZE 0x800000
- // This is the default block size to use when receiving via HTTP
- #define PAC_HTTP_BLOCK_SIZE 512
- 
-@@ -478,15 +478,13 @@ char* url::get_pac() {
-                }
- 
-                // Get content
-               unsigned int recvd = 0;
-               buffer = new char[PAC_MAX_SIZE];
-               memset(buffer, 0, PAC_MAX_SIZE);
-+               std::vector<char> dynamic_buffer;
-                do {
-                        unsigned int chunk_length;
- 
-                        if (chunked) {
-                                // Discard the empty line if we received a previous chunk
-                               if (recvd > 0) recvline(sock);
-+                               if (!dynamic_buffer.empty()) recvline(sock);
- 
-                                // Get the chunk-length line as an integer
-                                if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
-@@ -498,21 +496,41 @@ char* url::get_pac() {
- 
-                        if (content_length >= PAC_MAX_SIZE) break;
- 
-                       while (content_length == 0 || recvd != content_length) {
-                               int r = recv(sock, buffer + recvd,
-                                            content_length == 0 ? PAC_HTTP_BLOCK_SIZE
-                                                                : content_length - recvd, 0);
-+                       while (content_length == 0 || dynamic_buffer.size() != content_length) {
-+                               // Calculate length to recv
-+                               unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
-+                               if (content_length > 0)
-+                                       length_to_read = content_length - dynamic_buffer.size();
-+
-+                               // Prepare buffer
-+                               dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
-+
-+                               int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
-+
-+                               // Shrink buffer to fit
-+                               if (r >= 0)
-+                                       dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
-+
-+                               // PAC size too large, discard
-+                               if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
-+                                       chunked = false;
-+                                       dynamic_buffer.clear();
-+                                       break;
-+                               }
-+
-                                if (r <= 0) {
-                                        chunked = false;
-                                        break;
-                                }
-                               recvd += r;
-                        }
-                } while (chunked);
- 
-               if (content_length != 0 && string(buffer).size() != content_length) {
-                       delete[] buffer;
-                       buffer = NULL;
-+               if (content_length == 0 || content_length == dynamic_buffer.size()) {
-+                       buffer = new char[dynamic_buffer.size() + 1];
-+                       if (!dynamic_buffer.empty()) {
-+                               memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
-+                       }
-+                       buffer[dynamic_buffer.size()] = '\0';
-                }
-        }
-

diff --git a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch b/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch deleted file mode 100644 index 0ccb99da81..0000000000 --- a/meta/recipes-support/libproxy/libproxy/CVE-2020-26154.patch +++ /dev/null
@@ -1,98 +0,0 @@
1	From 4411b523545b22022b4be7d0cac25aa170ae1d3e Mon Sep 17 00:00:00 2001
2	From: Fei Li <lifeibiren@gmail.com>
3	Date: Fri, 17 Jul 2020 02:18:37 +0800
4	Subject: [PATCH] Fix buffer overflow when PAC is enabled
5
6	The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
7	out to be the large PAC file (more than 102400 bytes) returned by a
8	local proxy program with no content-length present.
9
10	Upstream-Status: Backport [https://github.com/libproxy/libproxy/commit/6d342b50366a048d3d543952e2be271b5742c5f8]
11	CVE: CVE-2020-26154
12	Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
13
14	---
15	libproxy/url.cpp \| 44 +++++++++++++++++++++++++++++++-------------
16	1 file changed, 31 insertions(+), 13 deletions(-)
17
18	diff --git a/libproxy/url.cpp b/libproxy/url.cpp
19	index ee776b2..8684086 100644
20	--- a/libproxy/url.cpp
21	+++ b/libproxy/url.cpp
22	@@ -54,7 +54,7 @@ using namespace std;
23	#define PAC_MIME_TYPE_FB "text/plain"
24
25	// This is the maximum pac size (to avoid memory attacks)
26	-#define PAC_MAX_SIZE 102400
27	+#define PAC_MAX_SIZE 0x800000
28	// This is the default block size to use when receiving via HTTP
29	#define PAC_HTTP_BLOCK_SIZE 512
30
31	@@ -478,15 +478,13 @@ char* url::get_pac() {
32	}
33
34	// Get content
35	- unsigned int recvd = 0;
36	- buffer = new char[PAC_MAX_SIZE];
37	- memset(buffer, 0, PAC_MAX_SIZE);
38	+ std::vector<char> dynamic_buffer;
39	do {
40	unsigned int chunk_length;
41
42	if (chunked) {
43	// Discard the empty line if we received a previous chunk
44	- if (recvd > 0) recvline(sock);
45	+ if (!dynamic_buffer.empty()) recvline(sock);
46
47	// Get the chunk-length line as an integer
48	if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 \|\| chunk_length == 0) break;
49	@@ -498,21 +496,41 @@ char* url::get_pac() {
50
51	if (content_length >= PAC_MAX_SIZE) break;
52
53	- while (content_length == 0 \|\| recvd != content_length) {
54	- int r = recv(sock, buffer + recvd,
55	- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
56	- : content_length - recvd, 0);
57	+ while (content_length == 0 \|\| dynamic_buffer.size() != content_length) {
58	+ // Calculate length to recv
59	+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
60	+ if (content_length > 0)
61	+ length_to_read = content_length - dynamic_buffer.size();
62	+
63	+ // Prepare buffer
64	+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
65	+
66	+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
67	+
68	+ // Shrink buffer to fit
69	+ if (r >= 0)
70	+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
71	+
72	+ // PAC size too large, discard
73	+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
74	+ chunked = false;
75	+ dynamic_buffer.clear();
76	+ break;
77	+ }
78	+
79	if (r <= 0) {
80	chunked = false;
81	break;
82	}
83	- recvd += r;
84	}
85	} while (chunked);
86
87	- if (content_length != 0 && string(buffer).size() != content_length) {
88	- delete[] buffer;
89	- buffer = NULL;
90	+ if (content_length == 0 \|\| content_length == dynamic_buffer.size()) {
91	+ buffer = new char[dynamic_buffer.size() + 1];
92	+ if (!dynamic_buffer.empty()) {
93	+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
94	+ }
95	+ buffer[dynamic_buffer.size()] = '\0';
96	}
97	}
98