summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch71
-rw-r--r--meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb1
2 files changed, 72 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch
new file mode 100644
index 0000000000..81759438e1
--- /dev/null
+++ b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch
@@ -0,0 +1,71 @@
1From 554e77c542f1c09b689907d5e2ea8bff4b2ad969 Mon Sep 17 00:00:00 2001
2From: Michael Zillgith <michael.zillgith@mz-automation.de>
3Date: Tue, 23 Jul 2024 18:50:15 +0100
4Subject: [PATCH] - fixed potential buffer overflows in MMS client file service
5 handling (LIB61850-449)
6
7CVE: CVE-2024-45970
8Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc]
9Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
10---
11 src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++----
12 1 file changed, 19 insertions(+), 4 deletions(-)
13
14diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
15index 307ab534..1aa8dff2 100644
16--- a/src/mms/iso_mms/client/mms_client_files.c
17+++ b/src/mms/iso_mms/client/mms_client_files.c
18@@ -478,8 +478,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
19 break;
20 case 0x81: /* lastModified */
21 {
22- if (lastModified != NULL) {
23+ if (lastModified != NULL)
24+ {
25 char gtString[40];
26+
27+ if (length > sizeof(gtString) - 1)
28+ return false; /* lastModified string too long */
29+
30 memcpy(gtString, buffer + bufPos, length);
31 gtString[length] = 0;
32 *lastModified = Conversions_generalizedTimeToMsTime(gtString);
33@@ -506,12 +511,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
34 uint32_t fileSize = 0;
35 uint64_t lastModified = 0;
36
37- while (bufPos < maxBufPos) {
38+ while (bufPos < maxBufPos)
39+ {
40 uint8_t tag = buffer[bufPos++];
41 int length;
42
43 bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
44- if (bufPos < 0) {
45+ if (bufPos < 0)
46+ {
47 if (DEBUG_MMS_CLIENT)
48 printf("MMS_CLIENT: invalid length field\n");
49 return false;
50@@ -525,12 +532,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
51 tag = buffer[bufPos++];
52
53 bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
54- if (bufPos < 0) {
55+ if (bufPos < 0)
56+ {
57 if (DEBUG_MMS_CLIENT)
58 printf("MMS_CLIENT: invalid length field\n");
59 return false;
60 }
61
62+ if (length > (sizeof(fileNameMemory) - 1))
63+ {
64+ if (DEBUG_MMS_CLIENT)
65+ printf("MMS_CLIENT: filename too long\n");
66+ return false;
67+ }
68+
69 memcpy(filename, buffer + bufPos, length);
70 filename[length] = 0;
71
diff --git a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb
index d36a3c9306..ce6f79e996 100644
--- a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb
+++ b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https
19 file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \ 19 file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \
20 file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \ 20 file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \
21 file://CVE-2024-45969.patch \ 21 file://CVE-2024-45969.patch \
22 file://CVE-2024-45970.patch \
22 " 23 "
23 24
24S = "${WORKDIR}/git" 25S = "${WORKDIR}/git"