| From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 |
| From: Nathan Crandall <ncrandall@tesla.com> |
| Date: Tue, 12 Jul 2022 08:56:34 +0200 |
| Subject: gweb: Fix OOB write in received_data() |
| |
| There is a mismatch of handling binary vs. C-string data with memchr |
| and strlen, resulting in pos, count, and bytes_read to become out of |
| sync and result in a heap overflow. Instead, do not treat the buffer |
| as an ASCII C-string. We calculate the count based on the return value |
| of memchr, instead of strlen. |
| |
| Fixes: CVE-2022-32292 |
| |
| CVE: CVE-2022-32292 |
| |
| Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd] |
| Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| --- |
| gweb/gweb.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/gweb/gweb.c b/gweb/gweb.c |
| index 12fcb1d8..13c6c5f2 100644 |
| --- a/gweb/gweb.c |
| +++ b/gweb/gweb.c |
| @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, |
| } |
| |
| *pos = '\0'; |
| - count = strlen((char *) ptr); |
| + count = pos - ptr; |
| if (count > 0 && ptr[count - 1] == '\r') { |
| ptr[--count] = '\0'; |
| bytes_read--; |
| -- |
| cgit |
| |