35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd
|
|
|
|
From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
|
|
From: Nathan Crandall <ncrandall@tesla.com>
|
|
Date: Tue, 12 Jul 2022 08:56:34 +0200
|
|
Subject: gweb: Fix OOB write in received_data()
|
|
|
|
There is a mismatch of handling binary vs. C-string data with memchr
|
|
and strlen, resulting in pos, count, and bytes_read to become out of
|
|
sync and result in a heap overflow. Instead, do not treat the buffer
|
|
as an ASCII C-string. We calculate the count based on the return value
|
|
of memchr, instead of strlen.
|
|
|
|
Fixes: CVE-2022-32292
|
|
---
|
|
gweb/gweb.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/gweb/gweb.c b/gweb/gweb.c
|
|
index 12fcb1d8..13c6c5f2 100644
|
|
--- a/gweb/gweb.c
|
|
+++ b/gweb/gweb.c
|
|
@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
|
|
}
|
|
|
|
*pos = '\0';
|
|
- count = strlen((char *) ptr);
|
|
+ count = pos - ptr;
|
|
if (count > 0 && ptr[count - 1] == '\r') {
|
|
ptr[--count] = '\0';
|
|
bytes_read--;
|
|
--
|
|
cgit
|
|
|