NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/rtl_433: fix CVE-2022-25051

Browse Source 
An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when
decoding a crafted file.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2022-03-17 22:42:03 +01:00 committed by Yann E. MORIN
parent 3e1de2ef06
commit 0368e0abd0
2 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
package/rtl_433/0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch Normal file
View File

@ -0,0 +1,58 @@
From 2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8 Mon Sep 17 00:00:00 2001
From: "Christian W. Zuckschwerdt" <christian@zuckschwerdt.org>
Date: Mon, 24 Jan 2022 15:53:20 +0100
Subject: [PATCH] minor: Fix overflow in Clipsal-CMR113 and Somfy-IOHC reported
by aug5t7
[Retrieved from:
https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
src/devices/cmr113.c | 4 ++--
src/devices/somfy_iohc.c | 9 +++++----
2 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/devices/cmr113.c b/src/devices/cmr113.c
index c85dfac56..19ec5d421 100644
--- a/src/devices/cmr113.c
+++ b/src/devices/cmr113.c
@@ -42,8 +42,8 @@ Kudos to Jon Oxer for decoding this stream and putting it here:
*/
-#define COMPARE_BITS 83
-#define COMPARE_BYTES (COMPARE_BITS/8)
+#define COMPARE_BITS 83
+#define COMPARE_BYTES ((COMPARE_BITS + 7) / 8)
static int cmr113_decode(r_device *decoder, bitbuffer_t *bitbuffer)
{
diff --git a/src/devices/somfy_iohc.c b/src/devices/somfy_iohc.c
index 906cae53e..2c88067b5 100644
--- a/src/devices/somfy_iohc.c
+++ b/src/devices/somfy_iohc.c
@@ -100,11 +100,12 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
if (bitbuffer->num_rows != 1)
return DECODE_ABORT_EARLY;
- int offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
- if (offset >= bitbuffer->bits_per_row[0] - 19 * 10)
+ unsigned offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
+ if (offset + 19 * 10 >= bitbuffer->bits_per_row[0])
return DECODE_ABORT_EARLY;
- int num_bits = bitbuffer->bits_per_row[0] - offset;
+ unsigned num_bits = bitbuffer->bits_per_row[0] - offset;
+ num_bits = MIN(num_bits, sizeof (b) * 8);
int len = extract_bytes_uart(bitbuffer->bb[0], offset, num_bits, b);
if (len < 19)
@@ -120,7 +121,7 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
// calculate and verify checksum
if (crc16lsb(b, len, 0x8408, 0x0000) != 0) // unreflected poly 0x1021
return DECODE_FAIL_MIC;
- bitrow_printf(b, len * 8, "%s: offset %d, num_bits %d, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
+ bitrow_printf(b, len * 8, "%s: offset %u, num_bits %u, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
int msg_type = (b[0]);
int dst_id = ((unsigned)b[4] << 24) | (b[3] << 16) | (b[2] << 8) | (b[1]); // assume Little-Endian

3
package/rtl_433/rtl_433.mk
View File

@ -17,6 +17,9 @@ RTL_433_CONF_OPTS = \
-DBUILD_TESTING_ANALYZER=OFF \
-DENABLE_SOAPYSDR=OFF
# 0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch
RTL_433_IGNORE_CVES += CVE-2022-25051
ifeq ($(BR2_PACKAGE_LIBRTLSDR),y)
RTL_433_DEPENDENCIES += librtlsdr
RTL_433_CONF_OPTS += -DENABLE_RTLSDR=ON