libupnp: Fix out-of-bound access in create_url_list() (CVE-2016-8863)

If there is an invalid URL in URLS->buf after a valid one, uri_parse is called with out pointing after the allocated memory. As uri_parse writes to *out before returning an error the loop in create_url_list must be stopped early to prevent an out-of-bound access Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Pascal Bach <pascal.bach@siemens.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com> (cherry picked from commit b4659368a01a5b4209d9e1e571bb569ef4a06195) Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Andrej Valek <andrej.valek@siemens.com> 2016-12-12 12:46:21 +0100
committer: Armin Kuster <akuster808@gmail.com> 2017-02-24 19:33:29 +0000
commit: 56f6f5585de70819fa493d0d803f60799d02fa5c (patch)
tree: f889e0db9878364d675f5260e15deac8d34295dc /meta-multimedia
parent: b53fe10e0275dc8ec41a8acd27032d0cf1f43122 (diff)
download: meta-openembedded-56f6f5585de70819fa493d0d803f60799d02fa5c.tar.gz
2 files changed, 58 insertions, 0 deletions
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
new file mode 100644
index 0000000000..abb4a72a41
--- /dev/null
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
@@ -0,0 +1,57 @@
+libupnp-1.6.19: Fix CVE-2016-8863
+[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771
+gena_device: Fix out-of-bound access in create_url_list()
+If there is an invalid URL in URLS->buf after a valid one, uri_parse is
+called with out pointing after the allocated memory. As uri_parse writes
+to *out before returning an error the loop in create_url_list must be
+stopped early to prevent an out-of-bound access
+Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
+CVE: CVE-2016-8863
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
+diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
+index 39edc0b..0fd60ad 100644
+--- a/upnp/src/gena/gena_device.c
+++ b/upnp/src/gena/gena_device.c
+@@ -1133,7 +1133,7 @@ static int create_url_list(
+        /*! [out] . */
+        URL_list *out)
+ {
+-    size_t URLcount = 0;
+    size_t URLcount = 0, URLcount2 = 0;
+     size_t i;
+     int return_code = 0;
+     uri_type temp;
+@@ -1175,16 +1175,23 @@ static int create_url_list(
+         }
+         memcpy( out->URLs, URLS->buff, URLS->size );
+         out->URLs[URLS->size] = 0;
+-        URLcount = 0;
+         for( i = 0; i < URLS->size; i++ ) {
+             if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
+                 if( ( ( return_code =
+                         parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
+-                                   &out->parsedURLs[URLcount] ) ) ==
+                                   &out->parsedURLs[URLcount2] ) ) ==
+                       HTTP_SUCCESS )
+-                    && ( out->parsedURLs[URLcount].hostport.text.size !=
+                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
+                          0 ) ) {
+-                    URLcount++;
+                    URLcount2++;
+                    if (URLcount2 >= URLcount)
+                        /*
+                         * break early here in case there is a bogus URL that
+                         * was skipped above. This prevents to access
+                         * out->parsedURLs[URLcount] which is beyond the
+                         * allocation.
+                         */
+                        break;
+                 } else {
+                     if( return_code == UPNP_E_OUTOF_MEMORY ) {
+                         free( out->URLs );
diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
index 133a8ebd53..71fc70dd19 100644
--- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
+++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863"
 SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
           file://avoid-redefining-strnlen-and-strndup.patch \
           file://sepbuildfix.patch \
+           file://CVE-2016-8863.patch \
 "
 SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"
author	Andrej Valek <andrej.valek@siemens.com>	2016-12-12 12:46:21 +0100
committer	Armin Kuster <akuster808@gmail.com>	2017-02-24 19:33:29 +0000
commit	56f6f5585de70819fa493d0d803f60799d02fa5c (patch)
tree	f889e0db9878364d675f5260e15deac8d34295dc /meta-multimedia
parent	b53fe10e0275dc8ec41a8acd27032d0cf1f43122 (diff)
download	meta-openembedded-56f6f5585de70819fa493d0d803f60799d02fa5c.tar.gz

diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch new file mode 100644 index 0000000000..abb4a72a41 --- /dev/null +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch
@@ -0,0 +1,57 @@
		1	libupnp-1.6.19: Fix CVE-2016-8863
		2
		3	[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771
		4
		5	gena_device: Fix out-of-bound access in create_url_list()
		6
		7	If there is an invalid URL in URLS->buf after a valid one, uri_parse is
		8	called with out pointing after the allocated memory. As uri_parse writes
		9	to *out before returning an error the loop in create_url_list must be
		10	stopped early to prevent an out-of-bound access
		11
		12	Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
		13	CVE: CVE-2016-8863
		14	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		15	Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
		16
		17	diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
		18	index 39edc0b..0fd60ad 100644
		19	--- a/upnp/src/gena/gena_device.c
		20	+++ b/upnp/src/gena/gena_device.c
		21	@@ -1133,7 +1133,7 @@ static int create_url_list(
		22	/! [out] . /
		23	URL_list *out)
		24	{
		25	- size_t URLcount = 0;
		26	+ size_t URLcount = 0, URLcount2 = 0;
		27	size_t i;
		28	int return_code = 0;
		29	uri_type temp;
		30	@@ -1175,16 +1175,23 @@ static int create_url_list(
		31	}
		32	memcpy( out->URLs, URLS->buff, URLS->size );
		33	out->URLs[URLS->size] = 0;
		34	- URLcount = 0;
		35	for( i = 0; i < URLS->size; i++ ) {
		36	if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
		37	if( ( ( return_code =
		38	parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
		39	- &out->parsedURLs[URLcount] ) ) ==
		40	+ &out->parsedURLs[URLcount2] ) ) ==
		41	HTTP_SUCCESS )
		42	- && ( out->parsedURLs[URLcount].hostport.text.size !=
		43	+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
		44	0 ) ) {
		45	- URLcount++;
		46	+ URLcount2++;
		47	+ if (URLcount2 >= URLcount)
		48	+ /*
		49	+ * break early here in case there is a bogus URL that
		50	+ * was skipped above. This prevents to access
		51	+ * out->parsedURLs[URLcount] which is beyond the
		52	+ * allocation.
		53	+ */
		54	+ break;
		55	} else {
		56	if( return_code == UPNP_E_OUTOF_MEMORY ) {
		57	free( out->URLs );


diff --git a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb index 133a8ebd53..71fc70dd19 100644 --- a/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb +++ b/meta-multimedia/recipes-connectivity/libupnp/libupnp_1.6.19.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=b3190d5244e08e78e4c8ee78544f4863"
11	SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \	11	SRC_URI = "${SOURCEFORGE_MIRROR}/pupnp/${BP}.tar.bz2 \
12	file://avoid-redefining-strnlen-and-strndup.patch \	12	file://avoid-redefining-strnlen-and-strndup.patch \
13	file://sepbuildfix.patch \	13	file://sepbuildfix.patch \
		14	file://CVE-2016-8863.patch \
14	"	15	"
15		16
16	SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"	17	SRC_URI[md5sum] = "ee16e5d33a3ea7506f38d71facc057dd"