mirror of
https://git.busybox.net/buildroot.git
synced 2024-12-03 02:13:29 +08:00
package/libpjsip: fix CVE-2022-235{3, 4}7
https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
parent
cc9acffa8a
commit
26344644ee
@ -0,0 +1,99 @@
|
||||
From d8440f4d711a654b511f50f79c0445b26f9dd1e1 Mon Sep 17 00:00:00 2001
|
||||
From: Nanang Izzuddin <nanang@teluu.com>
|
||||
Date: Tue, 20 Dec 2022 11:39:12 +0700
|
||||
Subject: [PATCH] Merge pull request from GHSA-9pfh-r8x4-w26w
|
||||
|
||||
* Fix buffer overread in STUN message decoder
|
||||
|
||||
* Updates based on comments
|
||||
|
||||
[Retrieved from:
|
||||
https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1]
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
---
|
||||
pjnath/include/pjnath/stun_msg.h | 4 ++++
|
||||
pjnath/src/pjnath/stun_msg.c | 14 +++++++++++---
|
||||
2 files changed, 15 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h
|
||||
index b52f95c586..e49f096f3a 100644
|
||||
--- a/pjnath/include/pjnath/stun_msg.h
|
||||
+++ b/pjnath/include/pjnath/stun_msg.h
|
||||
@@ -442,6 +442,7 @@ typedef enum pj_stun_status
|
||||
|
||||
\endverbatim
|
||||
*/
|
||||
+#pragma pack(1)
|
||||
typedef struct pj_stun_msg_hdr
|
||||
{
|
||||
/**
|
||||
@@ -473,6 +474,7 @@ typedef struct pj_stun_msg_hdr
|
||||
pj_uint8_t tsx_id[12];
|
||||
|
||||
} pj_stun_msg_hdr;
|
||||
+#pragma pack()
|
||||
|
||||
|
||||
/**
|
||||
@@ -490,6 +492,7 @@ typedef struct pj_stun_msg_hdr
|
||||
|
||||
\endverbatim
|
||||
*/
|
||||
+#pragma pack(1)
|
||||
typedef struct pj_stun_attr_hdr
|
||||
{
|
||||
/**
|
||||
@@ -506,6 +509,7 @@ typedef struct pj_stun_attr_hdr
|
||||
pj_uint16_t length;
|
||||
|
||||
} pj_stun_attr_hdr;
|
||||
+#pragma pack()
|
||||
|
||||
|
||||
/**
|
||||
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
|
||||
index 3def6b3eac..e904a0ba47 100644
|
||||
--- a/pjnath/src/pjnath/stun_msg.c
|
||||
+++ b/pjnath/src/pjnath/stun_msg.c
|
||||
@@ -746,7 +746,7 @@ PJ_DEF(int) pj_stun_set_padding_char(int chr)
|
||||
|
||||
#define INIT_ATTR(a,t,l) (a)->hdr.type=(pj_uint16_t)(t), \
|
||||
(a)->hdr.length=(pj_uint16_t)(l)
|
||||
-#define ATTR_HDR_LEN 4
|
||||
+#define ATTR_HDR_LEN sizeof(pj_stun_attr_hdr)
|
||||
|
||||
static pj_uint16_t GETVAL16H(const pj_uint8_t *buf, unsigned pos)
|
||||
{
|
||||
@@ -2327,6 +2327,14 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
|
||||
status = pj_stun_msg_check(pdu, pdu_len, options);
|
||||
if (status != PJ_SUCCESS)
|
||||
return status;
|
||||
+ } else {
|
||||
+ /* For safety, verify packet length at least */
|
||||
+ pj_uint32_t msg_len = GETVAL16H(pdu, 2) + 20;
|
||||
+ if (msg_len > pdu_len ||
|
||||
+ ((options & PJ_STUN_IS_DATAGRAM) && msg_len != pdu_len))
|
||||
+ {
|
||||
+ return PJNATH_EINSTUNMSGLEN;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Create the message, copy the header, and convert to host byte order */
|
||||
@@ -2345,7 +2353,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
|
||||
p_response = NULL;
|
||||
|
||||
/* Parse attributes */
|
||||
- while (pdu_len >= 4) {
|
||||
+ while (pdu_len >= ATTR_HDR_LEN) {
|
||||
unsigned attr_type, attr_val_len;
|
||||
const struct attr_desc *adesc;
|
||||
|
||||
@@ -2357,7 +2365,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool,
|
||||
attr_val_len = (attr_val_len + 3) & (~3);
|
||||
|
||||
/* Check length */
|
||||
- if (pdu_len < attr_val_len) {
|
||||
+ if (pdu_len < attr_val_len + ATTR_HDR_LEN) {
|
||||
pj_str_t err_msg;
|
||||
char err_msg_buf[80];
|
||||
|
@ -0,0 +1,54 @@
|
||||
From bc4812d31a67d5e2f973fbfaf950d6118226cf36 Mon Sep 17 00:00:00 2001
|
||||
From: sauwming <ming@teluu.com>
|
||||
Date: Fri, 23 Dec 2022 15:05:28 +0800
|
||||
Subject: [PATCH] Merge pull request from GHSA-cxwq-5g9x-x7fr
|
||||
|
||||
* Fixed heap buffer overflow when parsing STUN errcode attribute
|
||||
|
||||
* Also fixed uint parsing
|
||||
|
||||
[Retrieved from:
|
||||
https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36]
|
||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
||||
---
|
||||
pjnath/src/pjnath/stun_msg.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c
|
||||
index c6b0bdd284..b55d29849a 100644
|
||||
--- a/pjnath/src/pjnath/stun_msg.c
|
||||
+++ b/pjnath/src/pjnath/stun_msg.c
|
||||
@@ -1438,12 +1438,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool,
|
||||
attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr);
|
||||
GETATTRHDR(buf, &attr->hdr);
|
||||
|
||||
- attr->value = GETVAL32H(buf, 4);
|
||||
-
|
||||
/* Check that the attribute length is valid */
|
||||
if (attr->hdr.length != 4)
|
||||
return PJNATH_ESTUNINATTRLEN;
|
||||
|
||||
+ attr->value = GETVAL32H(buf, 4);
|
||||
+
|
||||
/* Done */
|
||||
*p_attr = attr;
|
||||
|
||||
@@ -1757,14 +1757,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool,
|
||||
attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr);
|
||||
GETATTRHDR(buf, &attr->hdr);
|
||||
|
||||
+ /* Check that the attribute length is valid */
|
||||
+ if (attr->hdr.length < 4)
|
||||
+ return PJNATH_ESTUNINATTRLEN;
|
||||
+
|
||||
attr->err_code = buf[6] * 100 + buf[7];
|
||||
|
||||
/* Get pointer to the string in the message */
|
||||
value.ptr = ((char*)buf + ATTR_HDR_LEN + 4);
|
||||
value.slen = attr->hdr.length - 4;
|
||||
- /* Make sure the length is never negative */
|
||||
- if (value.slen < 0)
|
||||
- value.slen = 0;
|
||||
|
||||
/* Copy the string to the attribute */
|
||||
pj_strdup(pool, &attr->reason, &value);
|
@ -15,6 +15,12 @@ LIBPJSIP_CPE_ID_PRODUCT = pjsip
|
||||
LIBPJSIP_INSTALL_STAGING = YES
|
||||
LIBPJSIP_MAKE = $(MAKE1)
|
||||
|
||||
# 0001-Merge-pull-request-from-GHSA-9pfh-r8x4-w26w.patch
|
||||
LIBPJSIP_IGNORE_CVES += CVE-2022-23537
|
||||
|
||||
# 0002-Merge-pull-request-from-GHSA-cxwq-5g9x-x7fr.patch
|
||||
LIBPJSIP_IGNORE_CVES += CVE-2022-23547
|
||||
|
||||
LIBPJSIP_CFLAGS = $(TARGET_CFLAGS) -DPJ_HAS_IPV6=1
|
||||
|
||||
# relocation truncated to fit: R_68K_GOT16O
|
||||
|
Loading…
Reference in New Issue
Block a user