File CVE-2019-13132.patch of Package zeromq.33763

From 28ffec7739b5f53bbfe3d77e338d7f8075016d91 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Tue, 2 Jul 2019 12:23:41 +0100
Subject: [PATCH] Problem: application metadata not parsed correctly when using
 CURVE

Solution: create buffers large enough to contain arbitrary metadata
---
 src/curve_server.cpp | 34 ++++++++++++++++++++++++----------
 1 file changed, 24 insertions(+), 10 deletions(-)

Index: zeromq-4.0.4/src/curve_server.cpp
===================================================================
--- zeromq-4.0.4.orig/src/curve_server.cpp	2019-07-03 15:59:59.828552230 +0200
+++ zeromq-4.0.4/src/curve_server.cpp	2019-07-03 16:03:14.749727101 +0200
@@ -386,8 +386,12 @@ int zmq::curve_server_t::process_initiat
     const size_t clen = (msg_->size () - 113) + crypto_box_BOXZEROBYTES;
 
     uint8_t initiate_nonce [crypto_box_NONCEBYTES];
-    uint8_t initiate_plaintext [crypto_box_ZEROBYTES + 128 + 256];
-    uint8_t initiate_box [crypto_box_BOXZEROBYTES + 144 + 256];
+    uint8_t *initiate_plaintext =
+      static_cast<uint8_t *> (malloc (crypto_box_ZEROBYTES + clen));
+    alloc_assert (initiate_plaintext);
+    uint8_t *initiate_box =
+      static_cast<uint8_t *> (malloc (crypto_box_BOXZEROBYTES + clen));
+    alloc_assert (initiate_box);
 
     //  Open Box [C + vouch + metadata](C'->S')
     memset (initiate_box, 0, crypto_box_BOXZEROBYTES);
@@ -398,15 +402,16 @@ int zmq::curve_server_t::process_initiat
     memcpy (initiate_nonce + 16, initiate + 105, 8);
     cn_peer_nonce = get_uint64(initiate + 105);
 
+    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
+
     rc = crypto_box_open (initiate_plaintext, initiate_box,
                           clen, initiate_nonce, cn_client, cn_secret);
     if (rc != 0) {
         errno = EPROTO;
-        return -1;
+        rc = -1;
+        goto exit;
     }
 
-    const uint8_t *client_key = initiate_plaintext + crypto_box_ZEROBYTES;
-
     uint8_t vouch_nonce [crypto_box_NONCEBYTES];
     uint8_t vouch_plaintext [crypto_box_ZEROBYTES + 64];
     uint8_t vouch_box [crypto_box_BOXZEROBYTES + 80];
@@ -425,13 +430,15 @@ int zmq::curve_server_t::process_initiat
                           vouch_nonce, client_key, cn_secret);
     if (rc != 0) {
         errno = EPROTO;
-        return -1;
+        rc = -1;
+        goto exit;
     }
 
     //  What we decrypted must be the client's short-term public key
     if (memcmp (vouch_plaintext + crypto_box_ZEROBYTES, cn_client, 32)) {
         errno = EPROTO;
-        return -1;
+        rc = -1;
+        goto exit;
     }
 
     //  Precompute connection secret from client key
@@ -444,14 +451,21 @@ int zmq::curve_server_t::process_initiat
         send_zap_request (client_key);
         rc = receive_and_process_zap_reply ();
         if (rc != 0) {
-            if (errno != EAGAIN)
-                return -1;
+            if (errno != EAGAIN) {
+                rc = -1;
+                goto exit;
+            }
             expecting_zap_reply = true;
         }
     }
 
-    return parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
+    rc = parse_metadata (initiate_plaintext + crypto_box_ZEROBYTES + 128,
                            clen - crypto_box_ZEROBYTES - 128);
+
+exit:
+    free (initiate_plaintext);
+    free (initiate_box);
+    return rc;
 }
 
 int zmq::curve_server_t::produce_ready (msg_t *msg_)