Overview

File gnutls-CVE-2017-5337.patch of Package gnutls.8596

From 94fcf1645ea17223237aaf8d19132e004afddc1a Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 4 Jan 2017 14:42:03 +0100
Subject: [PATCH] opencdk: read_attribute: added more precise checks when reading stream

That addresses heap read overflows found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=338
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=346

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/opencdk/read-packet.c | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)

Index: gnutls-3.2.15/lib/opencdk/read-packet.c
===================================================================
--- gnutls-3.2.15.orig/lib/opencdk/read-packet.c	2013-11-10 18:59:14.000000000 +0100
+++ gnutls-3.2.15/lib/opencdk/read-packet.c	2017-01-10 15:43:29.735808052 +0100
@@ -478,44 +478,63 @@ read_attribute(cdk_stream_t inp, size_t
 		return CDK_Out_Of_Core;
 	rc = stream_read(inp, buf, pktlen, &nread);
 	if (rc) {
-		cdk_free(buf);
-		return CDK_Inv_Packet;
+		gnutls_assert();
+		rc = CDK_Inv_Packet;
+		goto error;
 	}
+
 	p = buf;
 	len = *p++;
 	pktlen--;
+
 	if (len == 255) {
+		if (pktlen < 4) {
+			gnutls_assert();
+			rc = CDK_Inv_Packet;
+			goto error;
+		}
+
 		len = _cdk_buftou32(p);
 		p += 4;
 		pktlen -= 4;
 	} else if (len >= 192) {
 		if (pktlen < 2) {
-			cdk_free(buf);
-			return CDK_Inv_Packet;
+			gnutls_assert();
+			rc = CDK_Inv_Packet;
+			goto error;
 		}
 		len = ((len - 192) << 8) + *p + 192;
 		p++;
 		pktlen--;
 	}
 
-	if (*p != 1) {		/* Currently only 1, meaning an image, is defined. */
-		cdk_free(buf);
-		return CDK_Inv_Packet;
+	if (!len || *p != 1) {		/* Currently only 1, meaning an image, is defined. */
+		rc = CDK_Inv_Packet;
+		goto error;
 	}
+
 	p++;
 	len--;
 
-	if (len >= pktlen)
-		return CDK_Inv_Packet;
+	if (len >= pktlen) {
+		rc = CDK_Inv_Packet;
+		goto error;
+	}
+
 	attr->attrib_img = cdk_calloc(1, len);
 	if (!attr->attrib_img) {
-		cdk_free(buf);
-		return CDK_Out_Of_Core;
+		rc = CDK_Out_Of_Core;
+		goto error;
 	}
+
 	attr->attrib_len = len;
 	memcpy(attr->attrib_img, p, len);
 	cdk_free(buf);
 	return rc;
+
+ error:
+	cdk_free(buf);
+	return rc;
 }
openSUSE Build Service is sponsored by
Places