Fix heap overwrite vulnerability, CVE-2019-5544

2019-12-09 10:58:19 +01:00 · 2019-12-09 10:58:19 +01:00 · e84b8f7632
commit e84b8f7632
parent 98f042611d
2 changed files with 174 additions and 1 deletions
--- a/openslp-2.0.0-cve-2019-5544.patch
+++ b/openslp-2.0.0-cve-2019-5544.patch
@ -0,0 +1,165 @@
+diff -up openslp-2.0.0/common/slp_buffer.c.orig openslp-2.0.0/common/slp_buffer.c
+--- openslp-2.0.0/common/slp_buffer.c.orig	2012-12-11 00:31:53.000000000 +0100
+++ openslp-2.0.0/common/slp_buffer.c	2019-12-09 10:39:16.422058793 +0100
+@@ -30,6 +30,13 @@
+  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  *-------------------------------------------------------------------------*/
+ 
+/* Copyright (c) 2019 VMware, Inc.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * This file is provided under the BSD-3-Clause license.
+ * See COPYING file for more details and other copyrights
+ * that may apply.
+ */
+
+ /** Functions for managing SLP message buffers.
+  *
+  * This file provides a higher level abstraction over malloc and free that
+@@ -153,4 +160,20 @@ void SLPBufferFree(SLPBuffer buf)
+    xfree(buf);
+ }
+ 
+/** Report remaining free buffer size in bytes.
+ *
+ * Check if buffer is allocated and if so return bytes left in a
+ * @c SLPBuffer object.
+ *
+ * @param[in] buf The SLPBuffer to be freed.
+ */
+size_t
+RemainingBufferSpace(SLPBuffer buf)
+{
+   if (buf->allocated == 0) {
+      return 0;
+   }
+   return buf->end - buf->curpos;
+}
+
+ /*=========================================================================*/
+diff -up openslp-2.0.0/common/slp_buffer.h.orig openslp-2.0.0/common/slp_buffer.h
+--- openslp-2.0.0/common/slp_buffer.h.orig	2012-11-28 18:07:04.000000000 +0100
+++ openslp-2.0.0/common/slp_buffer.h	2019-12-09 10:39:16.422058793 +0100
+@@ -30,6 +30,13 @@
+  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  *-------------------------------------------------------------------------*/
+ 
+/* Copyright (c) 2019 VMware, Inc.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * This file is provided under the BSD-3-Clause license.
+ * See COPYING file for more details and other copyrights
+ * that may apply.
+ */
+
+ /** Header file that defines SLP message buffer management routines.
+  *
+  * Includes structures, constants and functions that used to handle memory 
+@@ -78,6 +85,8 @@ SLPBuffer SLPBufferListRemove(SLPBuffer
+ 
+ SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf);
+ 
+size_t RemainingBufferSpace(SLPBuffer buf);
+
+ /*! @} */
+ 
+ #endif /* SLP_BUFFER_H_INCLUDED */
+diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c
+--- openslp-2.0.0/slpd/slpd_process.c.orig	2019-12-09 10:39:16.420058789 +0100
+++ openslp-2.0.0/slpd/slpd_process.c	2019-12-09 10:39:16.422058793 +0100
+@@ -30,6 +30,13 @@
+  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  *-------------------------------------------------------------------------*/
+ 
+/* Copyright (c) 2019 VMware, Inc.
+ * SPDX-License-Identifier: BSD-3-Clause
+ * This file is provided under the BSD-3-Clause license.
+ * See COPYING file for more details and other copyrights
+ * that may apply.
+ */
+
+ /** Processes incoming SLP messages.
+  *
+  * @file       slpd_process.c
+@@ -523,13 +530,27 @@ RESPOND:
+    {
+       for (i = 0; i < db->urlcount; i++)
+       {
+-         /* urlentry is the url from the db result */
+          urlentry = db->urlarray[i];
+         if (urlentry->opaque != NULL) {
+            const int64_t newsize = size + urlentry->opaquelen;
+            if (urlentry->opaquelen <= 0 || newsize > INT_MAX)
+            {
+               SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n",
+                       urlentry->opaquelen, size);
+               errorcode = SLP_ERROR_PARSE_ERROR;
+               goto FINISHED;
+            }
+            size +=  urlentry->opaquelen;
+         }
+         else
+         {
+            /* urlentry is the url from the db result */
+            size += urlentry->urllen + 6; /*  1 byte for reserved  */
+                                          /*  2 bytes for lifetime */
+                                          /*  2 bytes for urllen   */
+                                          /*  1 byte for authcount */
+          }
+ 
+-         size += urlentry->urllen + 6; /*  1 byte for reserved  */
+-                                       /*  2 bytes for lifetime */
+-                                       /*  2 bytes for urllen   */
+-                                       /*  1 byte for authcount */
+ #ifdef ENABLE_SLPv2_SECURITY
+          /* make room to include the authblock that was asked for */
+          if (G_SlpdProperty.securityEnabled
+@@ -603,7 +624,7 @@ RESPOND:
+          urlentry = db->urlarray[i];
+ 
+ #ifdef ENABLE_SLPv1
+-         if (urlentry->opaque == 0)
+         if (urlentry->opaque == NULL)
+          {
+             /* url-entry reserved */
+             *result->curpos++ = 0;
+@@ -615,8 +636,18 @@ RESPOND:
+             PutUINT16(&result->curpos, urlentry->urllen);
+ 
+             /* url-entry url */
+-            memcpy(result->curpos, urlentry->url, urlentry->urllen);
+-            result->curpos += urlentry->urllen;
+            if (RemainingBufferSpace(result) >= urlentry->urllen)
+            {
+               memcpy(result->curpos, urlentry->url, urlentry->urllen);
+               result->curpos = result->curpos + urlentry->urllen;
+            }
+            else
+            {
+                SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n",
+                        urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
+                errorcode = SLP_ERROR_PARSE_ERROR;
+                goto FINISHED;
+            }
+ 
+             /* url-entry auths */
+             *result->curpos++ = 0;
+@@ -630,8 +661,18 @@ RESPOND:
+ 
+             /* TRICKY: Fix up the lifetime. */
+             TO_UINT16(urlentry->opaque + 1, urlentry->lifetime);
+-            memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
+-            result->curpos += urlentry->opaquelen;
+            if (RemainingBufferSpace(result) >= urlentry->opaquelen)
+            {
+               memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen);
+               result->curpos = result->curpos + urlentry->opaquelen;
+             }
+             else
+             {
+               SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n",
+                       urlentry->opaquelen, (int64_t) RemainingBufferSpace(result));
+               errorcode = SLP_ERROR_PARSE_ERROR;
+               goto FINISHED;
+             }
+          }
+       }
+    }
--- a/openslp.spec
+++ b/openslp.spec
@ -2,7 +2,7 @@
 Summary: Open implementation of Service Location Protocol V2
 Name:    openslp
 Version: 2.0.0
-Release: 22%{?dist}
+Release: 23%{?dist}

 License: BSD
 URL:     http://sourceforge.net/projects/openslp/
@ -30,6 +30,9 @@ Patch5:  openslp-2.0.0-cve-2016-7567.patch
 #   denial of service or potentially code execution,
 #   backported form upstream, CVE-2017-17833
 Patch6:  openslp-2.0.0-cve-2017-17833.patch
+# Patch7: fixes a heap overwrite vulnerability
+#   leading to remote code execution
+Patch7:  openslp-2.0.0-cve-2019-5544.patch

 BuildRequires: automake libtool
 BuildRequires: bison
@ -69,6 +72,7 @@ OpenSLP server daemon to dynamically register services.
 %patch4 -p1 -b .openssl-1.1-fix
 %patch5 -p1 -b .cve-2016-7567
 %patch6 -p1 -b .cve-2017-17833
+%patch7 -p1 -b .cve-2019-5544

 # tarball goof (?), it wants to re-automake anyway, so let's do it right.
 #libtoolize --force
@ -167,6 +171,10 @@ rm -f  $RPM_BUILD_ROOT%{_libdir}/lib*.la


 %changelog
+* Mon Dec 09 2019 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-23
+- Fix heap overwrite vulnerability, CVE-2019-5544
+  Resolves: #1780754
+
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-22
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild