| 123456789101112131415161718192021222324252627282930313233343536 |
- From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
- From: Nathan Crandall <ncrandall@tesla.com>
- Date: Tue, 12 Jul 2022 08:56:34 +0200
- Subject: gweb: Fix OOB write in received_data()
- There is a mismatch of handling binary vs. C-string data with memchr
- and strlen, resulting in pos, count, and bytes_read to become out of
- sync and result in a heap overflow. Instead, do not treat the buffer
- as an ASCII C-string. We calculate the count based on the return value
- of memchr, instead of strlen.
- Fixes: CVE-2022-32292
- [Retrieved from:
- https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312bd]
- Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
- ---
- gweb/gweb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
- diff --git a/gweb/gweb.c b/gweb/gweb.c
- index 12fcb1d8..13c6c5f2 100644
- --- a/gweb/gweb.c
- +++ b/gweb/gweb.c
- @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
- }
-
- *pos = '\0';
- - count = strlen((char *) ptr);
- + count = pos - ptr;
- if (count > 0 && ptr[count - 1] == '\r') {
- ptr[--count] = '\0';
- bytes_read--;
- --
- cgit
|
