diff options
| -rw-r--r-- | meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch | 40 | ||||
| -rw-r--r-- | meta-oe/recipes-support/nss/nss_3.74.bb | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch b/meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch new file mode 100644 index 0000000000..af32c42aec --- /dev/null +++ b/meta-oe/recipes-support/nss/nss/0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From 2e75513a13e3cf4a16626ef654242b3b07cc8f29 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: John Schanck <jschanck@mozilla.com> | ||
| 3 | Date: Mon, 11 Dec 2023 19:24:14 +0000 | ||
| 4 | Subject: [PATCH] Bug 1867408 - add a defensive check for large ssl_DefSend | ||
| 5 | return values. r=nkulatova | ||
| 6 | |||
| 7 | Differential Revision: https://phabricator.services.mozilla.com/D195054 | ||
| 8 | |||
| 9 | --HG-- | ||
| 10 | extra : moz-landing-system : lando | ||
| 11 | |||
| 12 | CVE: CVE-2024-0743 | ||
| 13 | Upstream-Status: Backport [https://github.com/nss-dev/nss/commit/2e75513a13e3cf4a16626ef654242b3b07cc8f29] | ||
| 14 | |||
| 15 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
| 16 | --- | ||
| 17 | lib/ssl/sslsecur.c | 7 ++++++- | ||
| 18 | 1 file changed, 6 insertions(+), 1 deletion(-) | ||
| 19 | |||
| 20 | diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c | ||
| 21 | index 59ef064c9..9e994f4b5 100644 | ||
| 22 | --- a/lib/ssl/sslsecur.c | ||
| 23 | +++ b/lib/ssl/sslsecur.c | ||
| 24 | @@ -453,7 +453,12 @@ ssl_SendSavedWriteData(sslSocket *ss) | ||
| 25 | if (rv < 0) { | ||
| 26 | return rv; | ||
| 27 | } | ||
| 28 | - ss->pendingBuf.len -= rv; | ||
| 29 | + if (rv > ss->pendingBuf.len) { | ||
| 30 | + PORT_Assert(0); /* This shouldn't happen */ | ||
| 31 | + ss->pendingBuf.len = 0; | ||
| 32 | + } else { | ||
| 33 | + ss->pendingBuf.len -= rv; | ||
| 34 | + } | ||
| 35 | if (ss->pendingBuf.len > 0 && rv > 0) { | ||
| 36 | /* UGH !! This shifts the whole buffer down by copying it */ | ||
| 37 | PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv, | ||
| 38 | -- | ||
| 39 | 2.30.2 | ||
| 40 | |||
diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb index c394c82e69..26baf669d1 100644 --- a/meta-oe/recipes-support/nss/nss_3.74.bb +++ b/meta-oe/recipes-support/nss/nss_3.74.bb | |||
| @@ -33,6 +33,7 @@ SRC_URI = "http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${VERSIO | |||
| 33 | file://nss-fix-nsinstall-build.patch \ | 33 | file://nss-fix-nsinstall-build.patch \ |
| 34 | file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ | 34 | file://0001-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \ |
| 35 | file://0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch;patchdir=nss \ | 35 | file://0001-Bug-1780432-CVE-2023-5388-Timing-attack-against-RSA-.patch;patchdir=nss \ |
| 36 | file://0001-Bug-1867408-add-a-defensive-check-for-large-ssl_DefS.patch;patchdir=nss \ | ||
| 36 | " | 37 | " |
| 37 | SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056" | 38 | SRC_URI[sha256sum] = "88928811f9f40f87d42e2eaccdf6e454562e51486067f2ddbe90aa47ea6cd056" |
| 38 | 39 | ||
