File libu2f-host-CVE-2019-9578.patch of Package libu2f-host.11485
#
# spec file for package libu2f-host-CVE-2019-9578
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
From e4bb58cc8b6202a421e65f8230217d8ae6e16eb5 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Fri, 22 Feb 2019 10:59:01 +0100
Subject: [PATCH] fix filling out of initresp
---
u2f-host/devs.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/u2f-host/devs.c b/u2f-host/devs.c
index 2b4ca67..1eaf3fb 100644
--- a/u2f-host/devs.c
+++ b/u2f-host/devs.c
@@ -302,17 +302,29 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
(devs, dev->id, U2FHID_INIT, nonce, sizeof (nonce), resp,
&resplen) == U2FH_OK)
{
- U2FHID_INIT_RESP initresp;
- if (resplen > sizeof (initresp))
+ int offs = sizeof (nonce);
+ /* the response has to be atleast 17 bytes, if it's more we discard that */
+ if (resplen < 17)
{
- return U2FH_MEMORY_ERROR;
+ return U2FH_SIZE_ERROR;
}
- memcpy (&initresp, resp, resplen);
- dev->cid = initresp.cid;
- dev->versionInterface = initresp.versionInterface;
- dev->versionMajor = initresp.versionMajor;
- dev->versionMinor = initresp.versionMinor;
- dev->capFlags = initresp.capFlags;
+
+ /* incoming and outgoing nonce has to match */
+ if (memcmp (nonce, resp, sizeof (nonce)) != 0)
+ {
+ return U2FH_TRANSPORT_ERROR;
+ }
+
+ dev->cid =
+ resp[offs] << 24 | resp[offs + 1] << 16 | resp[offs +
+ 2] << 8 | resp[offs +
+ 3];
+ offs += 4;
+ dev->versionInterface = resp[offs++];
+ dev->versionMajor = resp[offs++];
+ dev->versionMinor = resp[offs++];
+ dev->versionBuild = resp[offs++];
+ dev->capFlags = resp[offs++];
}
else
{
%changelog