meta-oe/recipes-extended/dlt-daemon/dlt-daemon/275.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

Upstream-status: Backport
CVE: CVE-2020-29394
From 7f5cd5404a03fa330e192084f6bdafb2dc9bdcb7 Mon Sep 17 00:00:00 2001
From: GwanYeong Kim <gy741.kim@gmail.com>
Date: Sat, 28 Nov 2020 12:24:46 +0900
Subject: [PATCH] dlt_common: Fix buffer overflow in dlt_filter_load

A buffer overflow in the dlt_filter_load function in dlt_common.c in dlt-daemon allows arbitrary code execution via an unsafe usage of fscanf, because it does not limit the number of characters to be read in a format argument.

Fixed: #274

Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com>
---
 src/shared/dlt_common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
index 254f4ce4..d15b1cec 100644
--- a/src/shared/dlt_common.c
+++ b/src/shared/dlt_common.c
@@ -404,7 +404,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
     while (!feof(handle)) {
         str1[0] = 0;
 
-        if (fscanf(handle, "%s", str1) != 1)
+        if (fscanf(handle, "%254s", str1) != 1)
             break;
 
         if (str1[0] == 0)
@@ -419,7 +419,7 @@ DltReturnValue dlt_filter_load(DltFilter *filter, const char *filename, int verb
 
         str1[0] = 0;
 
-        if (fscanf(handle, "%s", str1) != 1)
+        if (fscanf(handle, "%254s", str1) != 1)
             break;
 
         if (str1[0] == 0)