aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/connman-CVE-2022-32292.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/connman-CVE-2022-32292.patch')
-rw-r--r--gnu/packages/patches/connman-CVE-2022-32292.patch34
1 files changed, 34 insertions, 0 deletions
diff --git a/gnu/packages/patches/connman-CVE-2022-32292.patch b/gnu/packages/patches/connman-CVE-2022-32292.patch
new file mode 100644
index 0000000000..cbe30742e1
--- /dev/null
+++ b/gnu/packages/patches/connman-CVE-2022-32292.patch
@@ -0,0 +1,34 @@
+https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd
+
+From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
+From: Nathan Crandall <ncrandall@tesla.com>
+Date: Tue, 12 Jul 2022 08:56:34 +0200
+Subject: gweb: Fix OOB write in received_data()
+
+There is a mismatch of handling binary vs. C-string data with memchr
+and strlen, resulting in pos, count, and bytes_read to become out of
+sync and result in a heap overflow. Instead, do not treat the buffer
+as an ASCII C-string. We calculate the count based on the return value
+of memchr, instead of strlen.
+
+Fixes: CVE-2022-32292
+---
+ gweb/gweb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gweb/gweb.c b/gweb/gweb.c
+index 12fcb1d8..13c6c5f2 100644
+--- a/gweb/gweb.c
++++ b/gweb/gweb.c
+@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
+ }
+
+ *pos = '\0';
+- count = strlen((char *) ptr);
++ count = pos - ptr;
+ if (count > 0 && ptr[count - 1] == '\r') {
+ ptr[--count] = '\0';
+ bytes_read--;
+--
+cgit
+
generated by cgit