https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd

From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
From: Nathan Crandall <ncrandall@tesla.com>
Date: Tue, 12 Jul 2022 08:56:34 +0200
Subject: gweb: Fix OOB write in received_data()

There is a mismatch of handling binary vs. C-string data with memchr
and strlen, resulting in pos, count, and bytes_read to become out of
sync and result in a heap overflow.  Instead, do not treat the buffer
as an ASCII C-string. We calculate the count based on the return value
of memchr, instead of strlen.

Fixes: CVE-2022-32292
---
 gweb/gweb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gweb/gweb.c b/gweb/gweb.c
index 12fcb1d8..13c6c5f2 100644
--- a/gweb/gweb.c
+++ b/gweb/gweb.c
@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
 		}
 
 		*pos = '\0';
-		count = strlen((char *) ptr);
+		count = pos - ptr;
 		if (count > 0 && ptr[count - 1] == '\r') {
 			ptr[--count] = '\0';
 			bytes_read--;
-- 
cgit 

/guix/about/'>about</a><a href='/guix/'>summary</a><a href='/guix/refs/?id=a44569899a54d18a70b62498bec3774f0be3f66b'>refs</a><a class='active' href='/guix/log/gnu/packages/patches/fail2ban-paths-guix-conf.patch'>log</a><a href='/guix/tree/gnu/packages/patches/fail2ban-paths-guix-conf.patch?id=a44569899a54d18a70b62498bec3774f0be3f66b'>tree</a><a href='/guix/commit/gnu/packages/patches/fail2ban-paths-guix-conf.patch?id=a44569899a54d18a70b62498bec3774f0be3f66b'>commit</a><a href='/guix/diff/gnu/packages/patches/fail2ban-paths-guix-conf.patch?id=a44569899a54d18a70b62498bec3774f0be3f66b'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/gnu/packages/patches/fail2ban-paths-guix-conf.patch'>
<input type='hidden' name='id' value='a44569899a54d18a70b62498bec3774f0be3f66b'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=a44569899a54d18a70b62498bec3774f0be3f66b'>root</a>/<a href='/guix/log/gnu?id=a44569899a54d18a70b62498bec3774f0be3f66b'>gnu</a>/<a href='/guix/log/gnu/packages?id=a44569899a54d18a70b62498bec3774f0be3f66b'>packages</a>/<a href='/guix/log/gnu/packages/patches?id=a44569899a54d18a70b62498bec3774f0be3f66b'>patches</a>/<a href='/guix/log/gnu/packages/patches/fail2ban-paths-guix-conf.patch?id=a44569899a54d18a70b62498bec3774f0be3f66b'>fail2ban-paths-guix-conf.patch</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/gnu/packages/patches/fail2ban-paths-guix-conf.patch?id=a44569899a54d18a70b62498bec3774f0be3f66b&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2022-08-01 17:20:27 +0200'>2022-08-01</span></td><td><a href='/guix/commit/gnu/packages/patches/fail2ban-paths-guix-conf.patch?id=d7e7494bc4d69de9db49488ee812e572c3250211'>gnu: Add fail2ban.</a><span class='msg-avail'>...<span class='msg-tooltip'>* gnu/packages/admin.scm (fail2ban): New variable.
* gnu/packages/patches/fail2ban-0.11.2_CVE-2021-32749.patch,
gnu/packages/patches/fail2ban-0.11.2_fix-setuptools-drop-2to3.patch,
gnu/packages/patches/fail2ban-0.11.2_fix-test-suite.patch,
gnu/packages/patches/fail2ban-paths-guix-conf.patch,
gnu/packages/patches/fail2ban-python310-server-action.patch,
gnu/packages/patches/fail2ban-python310-server-actions.patch,
gnu/packages/patches/fail2ban-python310-server-jails.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.

Co-authored-by: Ludovic Courtès &lt;ludo@gnu.org&gt;
</span></span></td><td>muradm</td></tr>