2f2b4c80f4
Fix CVE-2022-32292: In ConnMan through 1.41, remote attackers able to send HTTP requests to the gweb component are able to exploit a heap-based buffer overflow in received_data to execute code. Fix CVE-2022-32293: In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HTTP query could be used to trigger a use-after-free in WISPR handling, leading to crashes or code execution. Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
37 lines
1.1 KiB
Diff
37 lines
1.1 KiB
Diff
From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
|
|
From: Nathan Crandall <ncrandall@tesla.com>
|
|
Date: Tue, 12 Jul 2022 08:56:34 +0200
|
|
Subject: gweb: Fix OOB write in received_data()
|
|
|
|
There is a mismatch of handling binary vs. C-string data with memchr
|
|
and strlen, resulting in pos, count, and bytes_read to become out of
|
|
sync and result in a heap overflow. Instead, do not treat the buffer
|
|
as an ASCII C-string. We calculate the count based on the return value
|
|
of memchr, instead of strlen.
|
|
|
|
Fixes: CVE-2022-32292
|
|
|
|
[Retrieved from:
|
|
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd]
|
|
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
---
|
|
gweb/gweb.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/gweb/gweb.c b/gweb/gweb.c
|
|
index 12fcb1d8..13c6c5f2 100644
|
|
--- a/gweb/gweb.c
|
|
+++ b/gweb/gweb.c
|
|
@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
|
|
}
|
|
|
|
*pos = '\0';
|
|
- count = strlen((char *) ptr);
|
|
+ count = pos - ptr;
|
|
if (count > 0 && ptr[count - 1] == '\r') {
|
|
ptr[--count] = '\0';
|
|
bytes_read--;
|
|
--
|
|
cgit
|
|
|