Overview

File libu2f-host-CVE-2019-9578.patch of Package libu2f-host.11485

#
# spec file for package libu2f-host-CVE-2019-9578
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


From e4bb58cc8b6202a421e65f8230217d8ae6e16eb5 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Fri, 22 Feb 2019 10:59:01 +0100
Subject: [PATCH] fix filling out of initresp
---
 u2f-host/devs.c | 30 +++++++++++++++++++++---------
 1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/u2f-host/devs.c b/u2f-host/devs.c
index 2b4ca67..1eaf3fb 100644
--- a/u2f-host/devs.c
+++ b/u2f-host/devs.c
@@ -302,17 +302,29 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
       (devs, dev->id, U2FHID_INIT, nonce, sizeof (nonce), resp,
        &resplen) == U2FH_OK)
     {
-      U2FHID_INIT_RESP initresp;
-      if (resplen > sizeof (initresp))
+      int offs = sizeof (nonce);
+      /* the response has to be atleast 17 bytes, if it's more we discard that */
+      if (resplen < 17)
 	{
-	  return U2FH_MEMORY_ERROR;
+	  return U2FH_SIZE_ERROR;
 	}
-      memcpy (&initresp, resp, resplen);
-      dev->cid = initresp.cid;
-      dev->versionInterface = initresp.versionInterface;
-      dev->versionMajor = initresp.versionMajor;
-      dev->versionMinor = initresp.versionMinor;
-      dev->capFlags = initresp.capFlags;
+
+      /* incoming and outgoing nonce has to match */
+      if (memcmp (nonce, resp, sizeof (nonce)) != 0)
+	{
+	  return U2FH_TRANSPORT_ERROR;
+	}
+
+      dev->cid =
+	resp[offs] << 24 | resp[offs + 1] << 16 | resp[offs +
+						       2] << 8 | resp[offs +
+								      3];
+      offs += 4;
+      dev->versionInterface = resp[offs++];
+      dev->versionMajor = resp[offs++];
+      dev->versionMinor = resp[offs++];
+      dev->versionBuild = resp[offs++];
+      dev->capFlags = resp[offs++];
     }
   else
     {

%changelog
openSUSE Build Service is sponsored by
Places