diff options
Diffstat (limited to 'meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch')
-rw-r--r-- | meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch new file mode 100644 index 0000000000..310728aaca --- /dev/null +++ b/meta-networking/recipes-daemons/atftp/atftp/0001-options.c-Proper-fix-for-the-read-past-end-of-array.patch @@ -0,0 +1,48 @@ +From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001 +From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de> +Date: Wed, 10 Jan 2018 17:01:20 +0100 +Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array + +This properly fixes what commit:b3e36dd tried to do. + +CVE: CVE-2021-46671 +Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch] +Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> + +--- + options.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/options.c b/options.c +index ee419c6..c716994 100644 +--- a/options.c ++++ b/options.c +@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - requests always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + /* read filename */ + entry = argz_next(tftp_data->th_stuff, size, entry); + if (!entry) +@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options) + struct tftphdr *tftp_data = (struct tftphdr *)data; + size_t size = data_size - sizeof(tftp_data->th_opcode); + ++ /* sanity check - options always end in a null byte, ++ * check to prevent argz_next from reading past the end of ++ * data, as it doesn't do bounds checks */ ++ if (data_size == 0 || data[data_size-1] != '\0') ++ return ERR; ++ + while ((entry = argz_next(tftp_data->th_stuff, size, entry))) + { + tmp = entry; +-- +2.17.1 + |