packages/libproxy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2020-26154

Browse Source
This commit is contained in:
hanzj0122_admin 2020-10-20 11:40:27 +08:00
parent 54c7c8636e
commit 10cb876fbb
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
Fix-buffer-overflow-when-PAC-is-enabled.patch Normal file
View File

@ -0,0 +1,96 @@
From 75750b01d846fde77451fad4000bf0ca7caec8a7 Mon Sep 17 00:00:00 2001
From: Fei Li <lifeibiren@gmail.com>
Date: Fri, 17 Jul 2020 02:18:37 +0800
Subject: [PATCH] Fix buffer overflow when PAC is enabled
The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
out to be the large PAC file (more than 102400 bytes) returned by a
local proxy program with no content-length present.
---
libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
1 file changed, 31 insertions(+), 13 deletions(-)
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
index b61a9bc..230d0ee 100644
--- a/libproxy/url.cpp
+++ b/libproxy/url.cpp
@@ -52,7 +52,7 @@ using namespace std;
#define PAC_MIME_TYPE_FB "text/plain"
// This is the maximum pac size (to avoid memory attacks)
-#define PAC_MAX_SIZE 102400
+#define PAC_MAX_SIZE 0x800000
// This is the default block size to use when receiving via HTTP
#define PAC_HTTP_BLOCK_SIZE 512
@@ -476,15 +476,13 @@ char* url::get_pac() {
}
// Get content
- unsigned int recvd = 0;
- buffer = new char[PAC_MAX_SIZE];
- memset(buffer, 0, PAC_MAX_SIZE);
+ std::vector<char> dynamic_buffer;
do {
unsigned int chunk_length;
if (chunked) {
// Discard the empty line if we received a previous chunk
- if (recvd > 0) recvline(sock);
+ if (!dynamic_buffer.empty()) recvline(sock);
// Get the chunk-length line as an integer
if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
@@ -496,21 +494,41 @@ char* url::get_pac() {
if (content_length >= PAC_MAX_SIZE) break;
- while (content_length == 0 || recvd != content_length) {
- int r = recv(sock, buffer + recvd,
- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
- : content_length - recvd, 0);
+ while (content_length == 0 || dynamic_buffer.size() != content_length) {
+ // Calculate length to recv
+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
+ if (content_length > 0)
+ length_to_read = content_length - dynamic_buffer.size();
+
+ // Prepare buffer
+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
+
+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
+
+ // Shrink buffer to fit
+ if (r >= 0)
+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
+
+ // PAC size too large, discard
+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
+ chunked = false;
+ dynamic_buffer.clear();
+ break;
+ }
+
if (r <= 0) {
chunked = false;
break;
}
- recvd += r;
}
} while (chunked);
- if (content_length != 0 && string(buffer).size() != content_length) {
- delete[] buffer;
- buffer = NULL;
+ if (content_length == 0 || content_length == dynamic_buffer.size()) {
+ buffer = new char[dynamic_buffer.size() + 1];
+ if (!dynamic_buffer.empty()) {
+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
+ }
+ buffer[dynamic_buffer.size()] = '\0';
}
}
--
1.8.3.1

10
libproxy.spec
View File

@ -1,6 +1,6 @@
Name: libproxy Name: libproxy
Version: 0.4.15 Version: 0.4.15
Release: 14 Release: 15
Summary: Libproxy is a library that provides automatic proxy configuration management Summary: Libproxy is a library that provides automatic proxy configuration management
License: LGPLv2+ License: LGPLv2+
@ -14,6 +14,7 @@ Patch1: libproxy-0.4.11-crash.patch
# Patch 2 and 3 are backported from upstream commuity # Patch 2 and 3 are backported from upstream commuity
Patch2: libproxy-0.4.15-python3738.patch Patch2: libproxy-0.4.15-python3738.patch
Patch3: libproxy-0.4.15-mozjs52.patch Patch3: libproxy-0.4.15-mozjs52.patch
Patch4: Fix-buffer-overflow-when-PAC-is-enabled.patch
BuildRequires: cmake >= 2.6.0 gcc-c++ BuildRequires: cmake >= 2.6.0 gcc-c++
BuildRequires: pkgconfig(gio-2.0) >= 2.26 pkgconfig(mozjs-52) pkgconfig(libnm) python2-devel python3-devel BuildRequires: pkgconfig(gio-2.0) >= 2.26 pkgconfig(mozjs-52) pkgconfig(libnm) python2-devel python3-devel
@ -122,12 +123,19 @@ make test
%{_mandir}/man1/proxy.1* %{_mandir}/man1/proxy.1*
%changelog %changelog
* Tue Oct 20 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-15
- Type:cves
- Id:NA
- SUG:NA
- DESC:fix CVE-2020-26154
* Thu Aug 6 2020 zengwefeng <zwfeng@huawei.com> - 0.4.15-14 * Thu Aug 6 2020 zengwefeng <zwfeng@huawei.com> - 0.4.15-14
- Type:bugfix - Type:bugfix
- Id:NA - Id:NA
- SUG:NA - SUG:NA
- DESC:drop dependency of libmodman - DESC:drop dependency of libmodman
* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.4.15-13 * Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.4.15-13
- Type:NA - Type:NA
- ID:NA - ID:NA