search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gnutls-3: fix recent CVEs
[unleashed-userland.git] / components / library / gnutls-3 / patches / 05-CVE-2017-5335.patch
blobeb96dea048238d558d1e4d9c1c69d4c9c6b9b15c
1 From 785af1ab577f899d2e54172ff120f404709bf172 Mon Sep 17 00:00:00 2001
2 From: Nikos Mavrogiannopoulos <nmav@redhat.com>
3 Date: Wed, 4 Jan 2017 15:22:13 +0100
4 Subject: [PATCH] opencdk: added error checking in the stream reading functions
5
6 This addresses an out of memory error. Issue found using oss-fuzz:
7 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=337
8
9 Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
10 ---
11 lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++++++++-----
12 1 file changed, 35 insertions(+), 5 deletions(-)
13
14 Index: gnutls28-3.4.10/lib/opencdk/read-packet.c
15 ===================================================================
16 --- gnutls28-3.4.10.orig/lib/opencdk/read-packet.c 2017-01-26 10:10:49.072776537 -0500
17 +++ gnutls28-3.4.10/lib/opencdk/read-packet.c 2017-01-26 10:10:49.072776537 -0500
18 @@ -50,13 +50,13 @@
19 static u32 read_32(cdk_stream_t s)
20 {
21 byte buf[4];
22 - size_t nread;
23 + size_t nread = 0;
24
25 assert(s != NULL);
26
27 stream_read(s, buf, 4, &nread);
28 if (nread != 4)
29 - return (u32) - 1;
30 + return (u32) -1;
31 return buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
32 }
33
34 @@ -65,7 +65,7 @@
35 static u16 read_16(cdk_stream_t s)
36 {
37 byte buf[2];
38 - size_t nread;
39 + size_t nread = 0;
40
41 assert(s != NULL);
42
43 @@ -547,7 +547,7 @@
44 static cdk_error_t
45 read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
46 {
47 - byte c, c1;
48 + int c, c1;
49 size_t size, nread, n;
50 cdk_subpkt_t node;
51 cdk_error_t rc;
52 @@ -562,11 +562,18 @@
53 *r_nbytes = 0;
54 c = cdk_stream_getc(inp);
55 n++;
56 +
57 if (c == 255) {
58 size = read_32(inp);
59 + if (size == (u32)-1)
60 + return CDK_Inv_Packet;
61 +
62 n += 4;
63 } else if (c >= 192 && c < 255) {
64 c1 = cdk_stream_getc(inp);
65 + if (c1 == EOF)
66 + return CDK_Inv_Packet;
67 +
68 n++;
69 if (c1 == 0)
70 return 0;
71 @@ -831,17 +838,29 @@
72 read_old_length(cdk_stream_t inp, int ctb, size_t * r_len, size_t * r_size)
73 {
74 int llen = ctb & 0x03;
75 + int c;
76
77 if (llen == 0) {
78 - *r_len = cdk_stream_getc(inp);
79 + c = cdk_stream_getc(inp);
80 + if (c == EOF)
81 + goto fail;
82 +
83 + *r_len = c;
84 (*r_size)++;
85 } else if (llen == 1) {
86 *r_len = read_16(inp);
87 + if (*r_len == (u16)-1)
88 + goto fail;
89 (*r_size) += 2;
90 } else if (llen == 2) {
91 *r_len = read_32(inp);
92 + if (*r_len == (u32)-1) {
93 + goto fail;
94 + }
95 +
96 (*r_size) += 4;
97 } else {
98 + fail:
99 *r_len = 0;
100 *r_size = 0;
101 }
102 @@ -856,15 +875,25 @@
103 int c, c1;
104
105 c = cdk_stream_getc(inp);
106 + if (c == EOF)
107 + return;
108 +
109 (*r_size)++;
110 if (c < 192)
111 *r_len = c;
112 else if (c >= 192 && c <= 223) {
113 c1 = cdk_stream_getc(inp);
114 + if (c1 == EOF)
115 + return;
116 +
117 (*r_size)++;
118 *r_len = ((c - 192) << 8) + c1 + 192;
119 } else if (c == 255) {
120 *r_len = read_32(inp);
121 + if (*r_len == (u32)-1) {
122 + return;
123 + }
124 +
125 (*r_size) += 4;
126 } else {
127 *r_len = 1 << (c & 0x1f);
Unleashed OS - userland