import-layers/meta-openembedded/meta-multimedia/recipes-connectivity/libupnp/libupnp/CVE-2016-8863.patch - openbmc/openbmc - Gitiles

 libupnp-1.6.19: Fix CVE-2016-8863

 [No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771

 gena_device: Fix out-of-bound access in create_url_list()

 If there is an invalid URL in URLS->buf after a valid one, uri_parse is
 called with out pointing after the allocated memory. As uri_parse writes
 to *out before returning an error the loop in create_url_list must be
 stopped early to prevent an out-of-bound access

 Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
 CVE: CVE-2016-8863
 Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
 Signed-off-by: Pascal Bach <pascal.bach@siemens.com>

 diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
 index 39edc0b..0fd60ad 100644
 --- a/upnp/src/gena/gena_device.c
 +++ b/upnp/src/gena/gena_device.c
 @@ -1133,7 +1133,7 @@ static int create_url_list(
  	/*! [out] . */
  	URL_list *out)
  {
 -    size_t URLcount = 0;
 +    size_t URLcount = 0, URLcount2 = 0;
      size_t i;
      int return_code = 0;
      uri_type temp;
 @@ -1175,16 +1175,23 @@ static int create_url_list(
          }
          memcpy( out->URLs, URLS->buff, URLS->size );
          out->URLs[URLS->size] = 0;
 -        URLcount = 0;
          for( i = 0; i < URLS->size; i++ ) {
              if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
                  if( ( ( return_code =
                          parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
 -                                   &out->parsedURLs[URLcount] ) ) ==
 +                                   &out->parsedURLs[URLcount2] ) ) ==
                        HTTP_SUCCESS )
 -                    && ( out->parsedURLs[URLcount].hostport.text.size !=
 +                    && ( out->parsedURLs[URLcount2].hostport.text.size !=
                           0 ) ) {
 -                    URLcount++;
 +                    URLcount2++;
 +                    if (URLcount2 >= URLcount)
 +                        /*
 +                         * break early here in case there is a bogus URL that
 +                         * was skipped above. This prevents to access
 +                         * out->parsedURLs[URLcount] which is beyond the
 +                         * allocation.
 +                         */
 +                        break;
                  } else {
                      if( return_code == UPNP_E_OUTOF_MEMORY ) {
                          free( out->URLs );
	libupnp-1.6.19: Fix CVE-2016-8863

	[No upstream tracking] -- https://bugzilla.redhat.com/show_bug.cgi?id=1388771

	gena_device: Fix out-of-bound access in create_url_list()

	If there is an invalid URL in URLS->buf after a valid one, uri_parse is
	called with out pointing after the allocated memory. As uri_parse writes
	to *out before returning an error the loop in create_url_list must be
	stopped early to prevent an out-of-bound access

	Upstream-Status: Backported [https://sourceforge.net/p/pupnp/code/ci/9c099c2923ab4d98530ab5204af1738be5bddba7]
	CVE: CVE-2016-8863
	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
	Signed-off-by: Pascal Bach <pascal.bach@siemens.com>

	diff --git a/upnp/src/gena/gena_device.c b/upnp/src/gena/gena_device.c
	index 39edc0b..0fd60ad 100644
	--- a/upnp/src/gena/gena_device.c
	+++ b/upnp/src/gena/gena_device.c
	@@ -1133,7 +1133,7 @@ static int create_url_list(
	/! [out] . /
	URL_list *out)
	{
	- size_t URLcount = 0;
	+ size_t URLcount = 0, URLcount2 = 0;
	size_t i;
	int return_code = 0;
	uri_type temp;
	@@ -1175,16 +1175,23 @@ static int create_url_list(
	}
	memcpy( out->URLs, URLS->buff, URLS->size );
	out->URLs[URLS->size] = 0;
	- URLcount = 0;
	for( i = 0; i < URLS->size; i++ ) {
	if( ( URLS->buff[i] == '<' ) && ( i + 1 < URLS->size ) ) {
	if( ( ( return_code =
	parse_uri( &out->URLs[i + 1], URLS->size - i + 1,
	- &out->parsedURLs[URLcount] ) ) ==
	+ &out->parsedURLs[URLcount2] ) ) ==
	HTTP_SUCCESS )
	- && ( out->parsedURLs[URLcount].hostport.text.size !=
	+ && ( out->parsedURLs[URLcount2].hostport.text.size !=
	0 ) ) {
	- URLcount++;
	+ URLcount2++;
	+ if (URLcount2 >= URLcount)
	+ /*
	+ * break early here in case there is a bogus URL that
	+ * was skipped above. This prevents to access
	+ * out->parsedURLs[URLcount] which is beyond the
	+ * allocation.
	+ */
	+ break;
	} else {
	if( return_code == UPNP_E_OUTOF_MEMORY ) {
	free( out->URLs );