Details: https://nvd.nist.gov/vuln/detail/CVE-2019-20503
Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../usrsctp/usrsctp/CVE-2019-20503.patch | 54 +++++++++++++++++++ .../recipes-protocols/usrsctp/usrsctp_git.bb | 3 +- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch b/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch new file mode 100644 index 0000000000..fc75151f00 --- /dev/null +++ b/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch @@ -0,0 +1,54 @@ +From c7f318fc788472da19f0a2579d2c2d439e362f04 Mon Sep 17 00:00:00 2001 +From: Michael Tuexen <[email protected]> +Date: Fri, 20 Dec 2019 17:02:02 +0100 +Subject: [PATCH] Improve input validation for some parameters having a too + small reported length. + +Thanks to Natalie Silvanovich from Google for finding one of these +issues in the SCTP userland stack and reporting it. + +CVE: CVE-2019-20503 +Upstream-Status: Backport [https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + usrsctplib/netinet/sctp_auth.c | 3 ++- + usrsctplib/netinet/sctp_pcb.c | 5 ++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/usrsctplib/netinet/sctp_auth.c b/usrsctplib/netinet/sctp_auth.c +index 5e5813b..0660af4 100755 +--- a/usrsctplib/netinet/sctp_auth.c ++++ b/usrsctplib/netinet/sctp_auth.c +@@ -1455,7 +1455,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m, + ptype = ntohs(phdr->param_type); + plen = ntohs(phdr->param_length); + +- if ((plen == 0) || (offset + plen > length)) ++ if ((plen < sizeof(struct sctp_paramhdr)) || ++ (offset + plen > length)) + break; + + if (ptype == SCTP_RANDOM) { +diff --git a/usrsctplib/netinet/sctp_pcb.c b/usrsctplib/netinet/sctp_pcb.c +index 6629f24..b99d089 100755 +--- a/usrsctplib/netinet/sctp_pcb.c ++++ b/usrsctplib/netinet/sctp_pcb.c +@@ -7245,7 +7245,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, + if (offset + plen > limit) { + break; + } +- if (plen == 0) { ++ if (plen < sizeof(struct sctp_paramhdr)) { + break; + } + #ifdef INET +@@ -7461,6 +7461,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m, + if (plen > sizeof(lstore)) { + return (-23); + } ++ if (plen < sizeof(struct sctp_asconf_addrv4_param)) { ++ return (-101); ++ } + phdr = sctp_get_next_param(m, offset, + (struct sctp_paramhdr *)&lstore, + plen); diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb index dcfa7406d2..2361eacebd 100644 --- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb +++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb @@ -4,7 +4,8 @@ LIC_FILES_CHKSUM = "file://LICENSE.md;md5=ffcf846341f3856d79a483eafa18e2a5" SRCREV = "a10cd498d964508c0e6ec6bd2be9dd4afcbb4d86" SRC_URI = "git://github.com/sctplab/usrsctp;protocol=https;branch=master \ - " + file://CVE-2019-20503.patch \ + " S = "${WORKDIR}/git"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#121713): https://lists.openembedded.org/g/openembedded-devel/message/121713 Mute This Topic: https://lists.openembedded.org/mt/116297694/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
