fix CVE-2020-26154
This commit is contained in:
hanzj0122_admin
parent
54c7c8636e
commit
10cb876fbb
96
Fix-buffer-overflow-when-PAC-is-enabled.patch
Normal file
96
Fix-buffer-overflow-when-PAC-is-enabled.patch
Normal file
@ -0,0 +1,96 @@
|
||||
From 75750b01d846fde77451fad4000bf0ca7caec8a7 Mon Sep 17 00:00:00 2001
|
||||
From: Fei Li <lifeibiren@gmail.com>
|
||||
Date: Fri, 17 Jul 2020 02:18:37 +0800
|
||||
Subject: [PATCH] Fix buffer overflow when PAC is enabled
|
||||
|
||||
The bug was found on Windows 10 (MINGW64) when PAC is enabled. It turned
|
||||
out to be the large PAC file (more than 102400 bytes) returned by a
|
||||
local proxy program with no content-length present.
|
||||
---
|
||||
libproxy/url.cpp | 44 +++++++++++++++++++++++++++++++-------------
|
||||
1 file changed, 31 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/libproxy/url.cpp b/libproxy/url.cpp
|
||||
index b61a9bc..230d0ee 100644
|
||||
--- a/libproxy/url.cpp
|
||||
+++ b/libproxy/url.cpp
|
||||
@@ -52,7 +52,7 @@ using namespace std;
|
||||
#define PAC_MIME_TYPE_FB "text/plain"
|
||||
|
||||
// This is the maximum pac size (to avoid memory attacks)
|
||||
-#define PAC_MAX_SIZE 102400
|
||||
+#define PAC_MAX_SIZE 0x800000
|
||||
// This is the default block size to use when receiving via HTTP
|
||||
#define PAC_HTTP_BLOCK_SIZE 512
|
||||
|
||||
@@ -476,15 +476,13 @@ char* url::get_pac() {
|
||||
}
|
||||
|
||||
// Get content
|
||||
- unsigned int recvd = 0;
|
||||
- buffer = new char[PAC_MAX_SIZE];
|
||||
- memset(buffer, 0, PAC_MAX_SIZE);
|
||||
+ std::vector<char> dynamic_buffer;
|
||||
do {
|
||||
unsigned int chunk_length;
|
||||
|
||||
if (chunked) {
|
||||
// Discard the empty line if we received a previous chunk
|
||||
- if (recvd > 0) recvline(sock);
|
||||
+ if (!dynamic_buffer.empty()) recvline(sock);
|
||||
|
||||
// Get the chunk-length line as an integer
|
||||
if (sscanf(recvline(sock).c_str(), "%x", &chunk_length) != 1 || chunk_length == 0) break;
|
||||
@@ -496,21 +494,41 @@ char* url::get_pac() {
|
||||
|
||||
if (content_length >= PAC_MAX_SIZE) break;
|
||||
|
||||
- while (content_length == 0 || recvd != content_length) {
|
||||
- int r = recv(sock, buffer + recvd,
|
||||
- content_length == 0 ? PAC_HTTP_BLOCK_SIZE
|
||||
- : content_length - recvd, 0);
|
||||
+ while (content_length == 0 || dynamic_buffer.size() != content_length) {
|
||||
+ // Calculate length to recv
|
||||
+ unsigned int length_to_read = PAC_HTTP_BLOCK_SIZE;
|
||||
+ if (content_length > 0)
|
||||
+ length_to_read = content_length - dynamic_buffer.size();
|
||||
+
|
||||
+ // Prepare buffer
|
||||
+ dynamic_buffer.resize(dynamic_buffer.size() + length_to_read);
|
||||
+
|
||||
+ int r = recv(sock, dynamic_buffer.data() + dynamic_buffer.size() - length_to_read, length_to_read, 0);
|
||||
+
|
||||
+ // Shrink buffer to fit
|
||||
+ if (r >= 0)
|
||||
+ dynamic_buffer.resize(dynamic_buffer.size() - length_to_read + r);
|
||||
+
|
||||
+ // PAC size too large, discard
|
||||
+ if (dynamic_buffer.size() >= PAC_MAX_SIZE) {
|
||||
+ chunked = false;
|
||||
+ dynamic_buffer.clear();
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
if (r <= 0) {
|
||||
chunked = false;
|
||||
break;
|
||||
}
|
||||
- recvd += r;
|
||||
}
|
||||
} while (chunked);
|
||||
|
||||
- if (content_length != 0 && string(buffer).size() != content_length) {
|
||||
- delete[] buffer;
|
||||
- buffer = NULL;
|
||||
+ if (content_length == 0 || content_length == dynamic_buffer.size()) {
|
||||
+ buffer = new char[dynamic_buffer.size() + 1];
|
||||
+ if (!dynamic_buffer.empty()) {
|
||||
+ memcpy(buffer, dynamic_buffer.data(), dynamic_buffer.size());
|
||||
+ }
|
||||
+ buffer[dynamic_buffer.size()] = '\0';
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
Name: libproxy
|
||||
Version: 0.4.15
|
||||
Release: 14
|
||||
Release: 15
|
||||
Summary: Libproxy is a library that provides automatic proxy configuration management
|
||||
|
||||
License: LGPLv2+
|
||||
@ -14,6 +14,7 @@ Patch1: libproxy-0.4.11-crash.patch
|
||||
# Patch 2 and 3 are backported from upstream commuity
|
||||
Patch2: libproxy-0.4.15-python3738.patch
|
||||
Patch3: libproxy-0.4.15-mozjs52.patch
|
||||
Patch4: Fix-buffer-overflow-when-PAC-is-enabled.patch
|
||||
|
||||
BuildRequires: cmake >= 2.6.0 gcc-c++
|
||||
BuildRequires: pkgconfig(gio-2.0) >= 2.26 pkgconfig(mozjs-52) pkgconfig(libnm) python2-devel python3-devel
|
||||
@ -122,12 +123,19 @@ make test
|
||||
%{_mandir}/man1/proxy.1*
|
||||
|
||||
%changelog
|
||||
* Tue Oct 20 hanzhijun <hanzhijun1@huawei.com> - 0.4.15-15
|
||||
- Type:cves
|
||||
- Id:NA
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2020-26154
|
||||
|
||||
* Thu Aug 6 2020 zengwefeng <zwfeng@huawei.com> - 0.4.15-14
|
||||
- Type:bugfix
|
||||
- Id:NA
|
||||
- SUG:NA
|
||||
- DESC:drop dependency of libmodman
|
||||
|
||||
|
||||
* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.4.15-13
|
||||
- Type:NA
|
||||
- ID:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user