Fix possible overflow in SLPFoldWhiteSpace, CVE-2016-7567

2017-03-14 10:57:34 +01:00 · 2017-03-14 10:57:34 +01:00 · fe53ac5a86
commit fe53ac5a86
parent 5dc5cecdd3
2 changed files with 99 additions and 1 deletions
--- a/openslp-2.0.0-cve-2016-7567.patch
+++ b/openslp-2.0.0-cve-2016-7567.patch
@ -0,0 +1,90 @@
+diff -up openslp-2.0.0/common/slp_compare.c.orig openslp-2.0.0/common/slp_compare.c
+--- openslp-2.0.0/common/slp_compare.c.orig	2012-12-12 20:12:43.000000000 +0100
+++ openslp-2.0.0/common/slp_compare.c	2017-03-14 10:51:36.480675991 +0100
+@@ -194,7 +194,8 @@ static int SLPUnescapeInPlace(size_t len
+  * @return The new (shorter) length of @p str.
+  *
+  * @note This routine assumes that leading and trailing white space have
+- *    already been removed from @p str.
+ *    already been removed from @p str. It also assumes that @p str may
+ *    not be null-terminated.
+  */
+ static int SLPFoldWhiteSpace(size_t len, char * str)
+ {
+@@ -203,11 +204,11 @@ static int SLPFoldWhiteSpace(size_t len,
+    {
+       if (isspace(*p))
+       {
+-         char * ws2p = ++p;         /* Point ws2p to the second ws char. */
+-         while (isspace(*p))        /* Scan till we hit a non-ws char. */
+         char * ws2p = ++p;            /* Point ws2p to the second ws char. */
+         while (p < ep && isspace(*p)) /* Scan till we hit a non-ws char. */
+             p++;
+-         len -= p - ws2p;           /* Reduce the length by extra ws. */
+-         memmove(ws2p, p, ep - p);  /* Overwrite the extra white space. */
+         len -= p - ws2p;              /* Reduce the length by extra ws. */
+         memmove(ws2p, p, ep - p);     /* Overwrite the extra white space. */
+       }
+       p++;
+    }
+@@ -821,6 +822,50 @@ int SLPCheckAttributeListSyntax(const ch
+ 
+ #ifdef SLP_COMPARE_TEST
+ 
+/* Test boundary conditions of SLPFoldWhiteSpace. */
+static int test_SLPFoldWhiteSpace(void)
+{
+   static char test_str0[] = "    ";
+   static char test_str1[] = "Blah";
+   static char test_str3[] = "Blah  blah";
+   static char test_str4[] = "Blah   blah";
+   static char test_str5[] = "Blah blah  blah";
+   static char test_str8[] = " Blah blah";
+   static char test_str9[] = "  Blah blah";
+   static char test_strC[] = "Blah blah      ";
+   static char test_strD[] = "Blah blah  xxxx";
+
+   static char * test_strs[] =
+   {
+      test_str0, test_str0, test_str0, test_str1, test_strC,
+      test_str3, test_str4, test_str5, test_strC, test_strC,
+      test_str8, test_str9, test_strC, test_strD,
+   };
+
+   static int test_lens[] =
+   {
+      0, 1, 2, 4, 9, 10, 11, 15, 10, 11, 10, 11, 11, 11,
+   };
+
+   static int test_fins[] =
+   {
+      0, 1, 1, 4, 9, 9, 9, 14, 10, 10, 10, 10, 10, 10,
+   };
+
+#define MAX_BUFSZ 32
+
+   int i;
+   for (i = 0; i < sizeof(test_strs) / sizeof(*test_strs); ++i)
+   {
+      char test_buf[MAX_BUFSZ];
+      memmove(test_buf, test_strs[i], test_lens[i]);
+      int len = SLPFoldWhiteSpace(test_lens[i], test_buf);
+      if (len != test_fins[i])
+         return -1;
+   }
+   return 0;
+}
+
+ /* ---------------- Test main for the slp_compare.c module ----------------
+  *
+  * Compile with:
+@@ -840,6 +885,9 @@ int main(void)
+ 
+    int count;
+ 
+   if (test_SLPFoldWhiteSpace() != 0)
+      return -1;
+
+    /* *** SLPContainsStringList ***
+     */
+    count = SLPContainsStringList(sizeof lst1 - 1, lst1, sizeof str1 - 1, str1);
--- a/openslp.spec
+++ b/openslp.spec
@ -2,7 +2,7 @@
 Summary: Open implementation of Service Location Protocol V2
 Name:    openslp
 Version: 2.0.0
-Release: 11%{?dist}
+Release: 12%{?dist}

 Group:   System Environment/Libraries
 License: BSD
@ -25,6 +25,9 @@ Patch2:  openslp-2.0.0-notify-systemd-of-start-up.patch
 Patch3:  openslp-2.0.0-null-pointer-deref.patch
 # Patch4: fixes FTBFS because of openssl-1.1
 Patch4:  openslp-2.0.0-openssl-1.1-fix.patch
+# Patch5: fixes possible overflow in SLPFoldWhiteSpace,
+#   backported from upstream, CVE-2016-7567
+Patch5:  openslp-2.0.0-cve-2016-7567.patch

 BuildRequires: automake libtool
 BuildRequires: bison
@ -67,6 +70,7 @@ OpenSLP server daemon to dynamically register services.
 %patch2 -p2 -b .systemd
 %patch3 -p1 -b .null-pointer-deref
 %patch4 -p1 -b .openssl-1.1-fix
+%patch5 -p1 -b .cve-2016-7567

 # tarball goof (?), it wants to re-automake anyway, so let's do it right.
 #libtoolize --force
@ -180,6 +184,10 @@ rm -rf $RPM_BUILD_ROOT


 %changelog
+* Tue Mar 14 2017 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-12
+- Fix possible overflow in SLPFoldWhiteSpace, CVE-2016-7567
+  Resolves: #1379988
+
 * Wed Feb 22 2017 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-11
 - Fix FTBFS because of openssl-1.1
  Resolves: #1424028