Replaced call-init-fix patch by vector-remove-fix patch from upstream
Related: rhbz#1183627 - Fixed one deref_after_free (by call-use-after-free-fix patch)
This commit is contained in:
Jaroslav Škarvada
parent
ced652b210
commit
92b9d5e998
@ -1,12 +0,0 @@
|
||||
diff --git a/pptp_ctrl.c b/pptp_ctrl.c
|
||||
index 9864374..1948bce 100644
|
||||
--- a/pptp_ctrl.c
|
||||
+++ b/pptp_ctrl.c
|
||||
@@ -351,6 +351,7 @@ PPTP_CALL * pptp_call_open(PPTP_CONN * conn, pptp_call_cb callback,
|
||||
/* allocate structure. */
|
||||
if ((call = malloc(sizeof(*call))) == NULL) return NULL;
|
||||
/* Initialize call structure */
|
||||
+ memset(call, 0, sizeof(*call));
|
||||
call->call_type = PPTP_CALL_PNS;
|
||||
call->state.pns = PNS_IDLE;
|
||||
call->call_id = (u_int16_t) i;
|
||||
23
pptp-1.8.0-call-use-after-free-fix.patch
Normal file
23
pptp-1.8.0-call-use-after-free-fix.patch
Normal file
@ -0,0 +1,23 @@
|
||||
diff --git a/pptp_ctrl.c b/pptp_ctrl.c
|
||||
index 9864374..416f416 100644
|
||||
--- a/pptp_ctrl.c
|
||||
+++ b/pptp_ctrl.c
|
||||
@@ -928,6 +928,7 @@ int ctrlp_disp(PPTP_CONN * conn, void * buffer, size_t size)
|
||||
PPTP_HEADER_CTRL(PPTP_CALL_CLEAR_NTFY), packet->call_id,
|
||||
1, PPTP_GENERAL_ERROR_NONE, 0, 0, {0}
|
||||
};
|
||||
+ int i;
|
||||
log("Received Call Clear Request.");
|
||||
if (vector_contains(conn->call, ntoh16(packet->call_id))) {
|
||||
PPTP_CALL * call;
|
||||
@@ -935,8 +936,9 @@ int ctrlp_disp(PPTP_CONN * conn, void * buffer, size_t size)
|
||||
if (call->callback != NULL)
|
||||
call->callback(conn, call, CALL_CLOSE_RQST);
|
||||
if (pptp_send_ctrl_packet(conn, &reply, sizeof(reply))) {
|
||||
+ i = call->call_id;
|
||||
pptp_call_destroy(conn, call);
|
||||
- log("Call closed (RQST) (call id %d)", (int) call->call_id);
|
||||
+ log("Call closed (RQST) (call id %d)", i);
|
||||
}
|
||||
}
|
||||
break;
|
||||
34
pptp-1.8.0-vector-remove-fix.patch
Normal file
34
pptp-1.8.0-vector-remove-fix.patch
Normal file
@ -0,0 +1,34 @@
|
||||
From ca29b846ccb924df388a1d396a25325c32b2e346 Mon Sep 17 00:00:00 2001
|
||||
From: James Cameron <quozl@laptop.org>
|
||||
Date: Thu, 22 Jan 2015 10:36:45 +1100
|
||||
Subject: [PATCH] vector: remove clobbered heap
|
||||
|
||||
While running vector_test.c under valgrind, observed read and writes
|
||||
beyond allocated memory.
|
||||
|
||||
Cause was bad calculation of length to move when an item is being
|
||||
removed from a vector.
|
||||
|
||||
Combined with a shortage of memory (a malloc fail in pptp_conn_open),
|
||||
may be a cause of
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1183627
|
||||
---
|
||||
vector.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vector.c b/vector.c
|
||||
index d0b5027..703e523 100644
|
||||
--- a/vector.c
|
||||
+++ b/vector.c
|
||||
@@ -115,7 +115,7 @@ int vector_remove(VECTOR *v, int key)
|
||||
assert(v != NULL);
|
||||
if ((tmp =binary_search(v,key)) == NULL) return FALSE;
|
||||
assert(tmp >= v->item && tmp < v->item + v->size);
|
||||
- memmove(tmp, tmp + 1, (v->size - (v->item - tmp) - 1) * sizeof(*(v->item)));
|
||||
+ memmove(tmp, tmp + 1, (v->size - (tmp - v->item) - 1) * sizeof(*(v->item)));
|
||||
v->size--;
|
||||
return TRUE;
|
||||
}
|
||||
--
|
||||
1.8.3.2
|
||||
|
||||
15
pptp.spec
15
pptp.spec
@ -1,6 +1,6 @@
|
||||
Name: pptp
|
||||
Version: 1.8.0
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
Summary: Point-to-Point Tunneling Protocol (PPTP) Client
|
||||
Group: Applications/Internet
|
||||
License: GPLv2+
|
||||
@ -8,8 +8,9 @@ URL: http://pptpclient.sourceforge.net/
|
||||
Source0: http://downloads.sf.net/pptpclient/pptp-%{version}.tar.gz
|
||||
Source1: pptp-tmpfs.conf
|
||||
Patch0: pptp-1.7.2-pptpsetup-mppe.patch
|
||||
# patch sent upstream
|
||||
Patch1: pptp-1.8.0-call-init-fix.patch
|
||||
# patch from upstream
|
||||
Patch1: pptp-1.8.0-vector-remove-fix.patch
|
||||
Patch2: pptp-1.8.0-call-use-after-free-fix.patch
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
|
||||
BuildRequires: /usr/bin/pod2man
|
||||
Requires: ppp >= 2.4.2, /sbin/ip
|
||||
@ -38,7 +39,8 @@ tunnels.
|
||||
# Fedora releases and EL ≥ 5 include MPPE support out of the box (#502967)
|
||||
%patch0 -p1 -b .mppe
|
||||
|
||||
%patch1 -p1 -b .call-init-fix
|
||||
%patch1 -p1 -b .vector-remove-fix
|
||||
%patch2 -p1 -b .call-use-after-free-fix
|
||||
|
||||
# Pacify rpmlint
|
||||
perl -pi -e 's/install -o root -m 555 pptp/install -m 755 pptp/;' Makefile
|
||||
@ -80,6 +82,11 @@ rm -rf %{buildroot}
|
||||
%{_mandir}/man8/pptpsetup.8*
|
||||
|
||||
%changelog
|
||||
* Fri Jan 23 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 1.8.0-6
|
||||
- Replaced call-init-fix patch by vector-remove-fix patch from upstream
|
||||
Related: rhbz#1183627
|
||||
- Fixed one deref_after_free (by call-use-after-free-fix patch)
|
||||
|
||||
* Tue Jan 20 2015 Jaroslav Škarvada <jskarvad@redhat.com> - 1.8.0-5
|
||||
- Fixed initialization of the call structure
|
||||
Resolves: rhbz#1183627
|
||||
|
||||
Loading…
Reference in New Issue
Block a user