Fix heap memory corruption, CVE-2017-17833

This commit is contained in:
Vitezslav Crhonek 2018-05-09 13:40:46 +02:00
parent 41d65cc427
commit ec6ddd9a35
2 changed files with 29 additions and 1 deletions

View File

@ -0,0 +1,19 @@
diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c
--- openslp-2.0.0/slpd/slpd_process.c.orig 2018-05-09 13:08:06.185104375 +0200
+++ openslp-2.0.0/slpd/slpd_process.c 2018-05-09 13:07:21.017095089 +0200
@@ -462,6 +462,15 @@ static int ProcessSrvRqst(SLPMessage * m
message->body.srvrqst.srvtype, 23, SLP_DA_SERVICE_TYPE) == 0)
{
errorcode = ProcessDASrvRqst(message, sendbuf, errorcode);
+
+ if (result != *sendbuf)
+ {
+ // The pointer stored at *sendbuf can be modified by a realloc
+ // operation in ProcessDASrvRqst(). Fix up the local copy of
+ // that pointer if necessary.
+ result = *sendbuf;
+ }
+
if (errorcode == 0)
{
/* Since we have an errorcode of 0, we were successful,

View File

@ -2,7 +2,7 @@
Summary: Open implementation of Service Location Protocol V2
Name: openslp
Version: 2.0.0
Release: 17%{?dist}
Release: 18%{?dist}
License: BSD
URL: http://sourceforge.net/projects/openslp/
@ -26,6 +26,10 @@ Patch4: openslp-2.0.0-openssl-1.1-fix.patch
# Patch5: fixes possible overflow in SLPFoldWhiteSpace,
# backported from upstream, CVE-2016-7567
Patch5: openslp-2.0.0-cve-2016-7567.patch
# Patch6: fixes heap memory corruption in slpd/slpd_process.c, which allows
# denial of service or potentially code execution,
# backported form upstream, CVE-2017-17833
Patch6: openslp-2.0.0-cve-2017-17833.patch
BuildRequires: automake libtool
BuildRequires: bison
@ -67,6 +71,7 @@ OpenSLP server daemon to dynamically register services.
%patch3 -p1 -b .null-pointer-deref
%patch4 -p1 -b .openssl-1.1-fix
%patch5 -p1 -b .cve-2016-7567
%patch6 -p1 -b .cve-2017-17833
# tarball goof (?), it wants to re-automake anyway, so let's do it right.
#libtoolize --force
@ -170,6 +175,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/lib*.la
%changelog
* Wed May 09 2018 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-18
- Fix heap memory corruption, CVE-2017-17833
Related: #1572166
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.0-17
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild