diff options
| -rw-r--r-- | meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch | 71 | ||||
| -rw-r--r-- | meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb | 1 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch new file mode 100644 index 0000000000..81759438e1 --- /dev/null +++ b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch | |||
| @@ -0,0 +1,71 @@ | |||
| 1 | From 554e77c542f1c09b689907d5e2ea8bff4b2ad969 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Michael Zillgith <michael.zillgith@mz-automation.de> | ||
| 3 | Date: Tue, 23 Jul 2024 18:50:15 +0100 | ||
| 4 | Subject: [PATCH] - fixed potential buffer overflows in MMS client file service | ||
| 5 | handling (LIB61850-449) | ||
| 6 | |||
| 7 | CVE: CVE-2024-45970 | ||
| 8 | Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc] | ||
| 9 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 10 | --- | ||
| 11 | src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++---- | ||
| 12 | 1 file changed, 19 insertions(+), 4 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c | ||
| 15 | index 307ab534..1aa8dff2 100644 | ||
| 16 | --- a/src/mms/iso_mms/client/mms_client_files.c | ||
| 17 | +++ b/src/mms/iso_mms/client/mms_client_files.c | ||
| 18 | @@ -478,8 +478,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi | ||
| 19 | break; | ||
| 20 | case 0x81: /* lastModified */ | ||
| 21 | { | ||
| 22 | - if (lastModified != NULL) { | ||
| 23 | + if (lastModified != NULL) | ||
| 24 | + { | ||
| 25 | char gtString[40]; | ||
| 26 | + | ||
| 27 | + if (length > sizeof(gtString) - 1) | ||
| 28 | + return false; /* lastModified string too long */ | ||
| 29 | + | ||
| 30 | memcpy(gtString, buffer + bufPos, length); | ||
| 31 | gtString[length] = 0; | ||
| 32 | *lastModified = Conversions_generalizedTimeToMsTime(gtString); | ||
| 33 | @@ -506,12 +511,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI | ||
| 34 | uint32_t fileSize = 0; | ||
| 35 | uint64_t lastModified = 0; | ||
| 36 | |||
| 37 | - while (bufPos < maxBufPos) { | ||
| 38 | + while (bufPos < maxBufPos) | ||
| 39 | + { | ||
| 40 | uint8_t tag = buffer[bufPos++]; | ||
| 41 | int length; | ||
| 42 | |||
| 43 | bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); | ||
| 44 | - if (bufPos < 0) { | ||
| 45 | + if (bufPos < 0) | ||
| 46 | + { | ||
| 47 | if (DEBUG_MMS_CLIENT) | ||
| 48 | printf("MMS_CLIENT: invalid length field\n"); | ||
| 49 | return false; | ||
| 50 | @@ -525,12 +532,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI | ||
| 51 | tag = buffer[bufPos++]; | ||
| 52 | |||
| 53 | bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos); | ||
| 54 | - if (bufPos < 0) { | ||
| 55 | + if (bufPos < 0) | ||
| 56 | + { | ||
| 57 | if (DEBUG_MMS_CLIENT) | ||
| 58 | printf("MMS_CLIENT: invalid length field\n"); | ||
| 59 | return false; | ||
| 60 | } | ||
| 61 | |||
| 62 | + if (length > (sizeof(fileNameMemory) - 1)) | ||
| 63 | + { | ||
| 64 | + if (DEBUG_MMS_CLIENT) | ||
| 65 | + printf("MMS_CLIENT: filename too long\n"); | ||
| 66 | + return false; | ||
| 67 | + } | ||
| 68 | + | ||
| 69 | memcpy(filename, buffer + bufPos, length); | ||
| 70 | filename[length] = 0; | ||
| 71 | |||
diff --git a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb index d36a3c9306..ce6f79e996 100644 --- a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb +++ b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb | |||
| @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https | |||
| 19 | file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \ | 19 | file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \ |
| 20 | file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \ | 20 | file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \ |
| 21 | file://CVE-2024-45969.patch \ | 21 | file://CVE-2024-45969.patch \ |
| 22 | file://CVE-2024-45970.patch \ | ||
| 22 | " | 23 | " |
| 23 | 24 | ||
| 24 | S = "${WORKDIR}/git" | 25 | S = "${WORKDIR}/git" |
