gnu/packages/patches/libupnp-CVE-2016-8863.patch

   1 Fix CVE-2016-8863:
   2
   3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
   4 https://sourceforge.net/p/pupnp/bugs/133/
   5
   6 Patch copied from upstream source repository:
   7
   8 https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7/
   9
  10 From 9c099c2923ab4d98530ab5204af1738be5bddba7 Mon Sep 17 00:00:00 2001
  11 From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <ukleinek@debian.org>
  12 Date: Thu, 8 Dec 2016 17:11:53 +0100
  13 Subject: [PATCH] Fix out-of-bound access in create_url_list() (CVE-2016-8863)
  14
  15 If there is an invalid URL in URLS->buf after a valid one, uri_parse is
  16 called with out pointing after the allocated memory. As uri_parse writes
  17 to *out before returning an error the loop in create_url_list must be
  18 stopped early to prevent an out-of-bound access
  19
  20 Bug: https://sourceforge.net/p/pupnp/bugs/133/
  21 Bug-CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8863
  22 Bug-Debian: https://bugs.debian.org/842093
  23 Bug-Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1388771
  24 (cherry picked from commit a0f6e719bc03c4d2fe6a4a42ef6b8761446f520b)
  25 ---
  26  upnp/src/gena/gena_device.c | 17 ++++++++++++-----
  27  1 file changed, 12 insertions(+), 5 deletions(-)
  28
  29 diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
  30 index fb04a29..245c56b 100644
  31 --- a/upnp/src/gena/gena_device.c
  32 +++ b/upnp/src/gena/gena_device.c
  33 @@ -1113,7 +1113,7 @@ static int create_url_list(
  34         /*! [out] . */
  35         URL_list *out)
  36  {
  37 -    size_t URLcount = 0;
  38 +    size_t URLcount = 0, URLcount2 = 0;
  39      size_t i;
  40      int return_code = 0;
  41      uri_type temp;
  42 @@ -1155,16 +1155,23 @@ static int create_url_list(
  43          }
  44          memcpy( out->URLs, URLS->buff, URLS->size );
  45          out->URLs[URLS->size] = 0;
  46 -        URLcount = 0;
  47          for( i = 0; i < URLS->size; i++ ) {
  48              if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
  49                  if( ( ( return_code =
  50                          parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
  51 -                                   &out->parsedURLs[URLcount] ) ) ==
  52 +                                   &out->parsedURLs[URLcount2] ) ) ==
  53                        HTTP_SUCCESS )
  54 -                    && ( out->parsedURLs[URLcount].hostport.text.size !=
  55 +                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
  56                           0 ) ) {
  57 -                    URLcount++;
  58 +                    URLcount2++;
  59 +                    if (URLcount2 >= URLcount)
  60 +                        /*
  61 +                         * break early here in case there is a bogus URL that
  62 +                         * was skipped above. This prevents to access
  63 +                         * out->parsedURLs[URLcount] which is beyond the
  64 +                         * allocation.
  65 +                         */
  66 +                        break;
  67                  } else {
  68                      if( return_code == UPNP_E_OUTOF_MEMORY ) {
  69                          free( out->URLs );
  70 --
  71 2.11.0
  72