rpms/openslp
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix possible overflow in SLPFoldWhiteSpace, CVE-2016-7567

Browse Source
This commit is contained in:
Vitezslav Crhonek 2017-03-14 10:57:34 +01:00
parent 5dc5cecdd3
commit fe53ac5a86
2 changed files with 99 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
openslp-2.0.0-cve-2016-7567.patch Normal file
View File

@ -0,0 +1,90 @@
diff -up openslp-2.0.0/common/slp_compare.c.orig openslp-2.0.0/common/slp_compare.c
--- openslp-2.0.0/common/slp_compare.c.orig 2012-12-12 20:12:43.000000000 +0100
+++ openslp-2.0.0/common/slp_compare.c 2017-03-14 10:51:36.480675991 +0100
@@ -194,7 +194,8 @@ static int SLPUnescapeInPlace(size_t len
* @return The new (shorter) length of @p str.
*
* @note This routine assumes that leading and trailing white space have
- * already been removed from @p str.
+ * already been removed from @p str. It also assumes that @p str may
+ * not be null-terminated.
*/
static int SLPFoldWhiteSpace(size_t len, char * str)
{
@@ -203,11 +204,11 @@ static int SLPFoldWhiteSpace(size_t len,
{
if (isspace(*p))
{
- char * ws2p = ++p; /* Point ws2p to the second ws char. */
- while (isspace(*p)) /* Scan till we hit a non-ws char. */
+ char * ws2p = ++p; /* Point ws2p to the second ws char. */
+ while (p < ep && isspace(*p)) /* Scan till we hit a non-ws char. */
p++;
- len -= p - ws2p; /* Reduce the length by extra ws. */
- memmove(ws2p, p, ep - p); /* Overwrite the extra white space. */
+ len -= p - ws2p; /* Reduce the length by extra ws. */
+ memmove(ws2p, p, ep - p); /* Overwrite the extra white space. */
}
p++;
}
@@ -821,6 +822,50 @@ int SLPCheckAttributeListSyntax(const ch
#ifdef SLP_COMPARE_TEST
+/* Test boundary conditions of SLPFoldWhiteSpace. */
+static int test_SLPFoldWhiteSpace(void)
+{
+ static char test_str0[] = " ";
+ static char test_str1[] = "Blah";
+ static char test_str3[] = "Blah blah";
+ static char test_str4[] = "Blah blah";
+ static char test_str5[] = "Blah blah blah";
+ static char test_str8[] = " Blah blah";
+ static char test_str9[] = " Blah blah";
+ static char test_strC[] = "Blah blah ";
+ static char test_strD[] = "Blah blah xxxx";
+
+ static char * test_strs[] =
+ {
+ test_str0, test_str0, test_str0, test_str1, test_strC,
+ test_str3, test_str4, test_str5, test_strC, test_strC,
+ test_str8, test_str9, test_strC, test_strD,
+ };
+
+ static int test_lens[] =
+ {
+ 0, 1, 2, 4, 9, 10, 11, 15, 10, 11, 10, 11, 11, 11,
+ };
+
+ static int test_fins[] =
+ {
+ 0, 1, 1, 4, 9, 9, 9, 14, 10, 10, 10, 10, 10, 10,
+ };
+
+#define MAX_BUFSZ 32
+
+ int i;
+ for (i = 0; i < sizeof(test_strs) / sizeof(*test_strs); ++i)
+ {
+ char test_buf[MAX_BUFSZ];
+ memmove(test_buf, test_strs[i], test_lens[i]);
+ int len = SLPFoldWhiteSpace(test_lens[i], test_buf);
+ if (len != test_fins[i])
+ return -1;
+ }
+ return 0;
+}
+
/* ---------------- Test main for the slp_compare.c module ----------------
*
* Compile with:
@@ -840,6 +885,9 @@ int main(void)
int count;
+ if (test_SLPFoldWhiteSpace() != 0)
+ return -1;
+
/* *** SLPContainsStringList ***
*/
count = SLPContainsStringList(sizeof lst1 - 1, lst1, sizeof str1 - 1, str1);

10
openslp.spec
View File

@ -2,7 +2,7 @@
Summary: Open implementation of Service Location Protocol V2 Summary: Open implementation of Service Location Protocol V2
Name: openslp Name: openslp
Version: 2.0.0 Version: 2.0.0
Release: 11%{?dist} Release: 12%{?dist}
Group: System Environment/Libraries Group: System Environment/Libraries
License: BSD License: BSD
@ -25,6 +25,9 @@ Patch2: openslp-2.0.0-notify-systemd-of-start-up.patch
Patch3: openslp-2.0.0-null-pointer-deref.patch Patch3: openslp-2.0.0-null-pointer-deref.patch
# Patch4: fixes FTBFS because of openssl-1.1 # Patch4: fixes FTBFS because of openssl-1.1
Patch4: openslp-2.0.0-openssl-1.1-fix.patch Patch4: openslp-2.0.0-openssl-1.1-fix.patch
# Patch5: fixes possible overflow in SLPFoldWhiteSpace,
# backported from upstream, CVE-2016-7567
Patch5: openslp-2.0.0-cve-2016-7567.patch
BuildRequires: automake libtool BuildRequires: automake libtool
BuildRequires: bison BuildRequires: bison
@ -67,6 +70,7 @@ OpenSLP server daemon to dynamically register services.
%patch2 -p2 -b .systemd %patch2 -p2 -b .systemd
%patch3 -p1 -b .null-pointer-deref %patch3 -p1 -b .null-pointer-deref
%patch4 -p1 -b .openssl-1.1-fix %patch4 -p1 -b .openssl-1.1-fix
%patch5 -p1 -b .cve-2016-7567
# tarball goof (?), it wants to re-automake anyway, so let's do it right. # tarball goof (?), it wants to re-automake anyway, so let's do it right.
#libtoolize --force #libtoolize --force
@ -180,6 +184,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Tue Mar 14 2017 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-12
- Fix possible overflow in SLPFoldWhiteSpace, CVE-2016-7567
Resolves: #1379988
* Wed Feb 22 2017 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-11 * Wed Feb 22 2017 Vitezslav Crhonek <vcrhonek@redhat.com> - 2.0.0-11
- Fix FTBFS because of openssl-1.1 - Fix FTBFS because of openssl-1.1
Resolves: #1424028 Resolves: #1424028