diff --git a/CVE-2019-5544 b/CVE-2019-5544 new file mode 100644 index 0000000..3428152 --- /dev/null +++ b/CVE-2019-5544 @@ -0,0 +1,135 @@ +idiff -up openslp-2.0.0/common/slp_buffer.c.orig openslp-2.0.0/common/slp_buffer.c +--- openslp-2.0.0/common/slp_buffer.c.orig 2012-12-11 00:31:53.000000000 +0100 ++++ openslp-2.0.0/common/slp_buffer.c 2019-12-09 10:39:16.422058793 +0100 +@@ -153,4 +160,20 @@ void SLPBufferFree(SLPBuffer buf) + xfree(buf); + } + ++/** Report remaining free buffer size in bytes. ++ * ++ * Check if buffer is allocated and if so return bytes left in a ++ * @c SLPBuffer object. ++ * ++ * @param[in] buf The SLPBuffer to be freed. ++ */ ++size_t ++RemainingBufferSpace(SLPBuffer buf) ++{ ++ if (buf->allocated == 0) { ++ return 0; ++ } ++ return buf->end - buf->curpos; ++} ++ + /*=========================================================================*/ +diff -up openslp-2.0.0/common/slp_buffer.h.orig openslp-2.0.0/common/slp_buffer.h +--- openslp-2.0.0/common/slp_buffer.h.orig 2012-11-28 18:07:04.000000000 +0100 ++++ openslp-2.0.0/common/slp_buffer.h 2019-12-09 10:39:16.422058793 +0100 +@@ -78,6 +85,8 @@ SLPBuffer SLPBufferListRemove(SLPBuffer + + SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf); + ++size_t RemainingBufferSpace(SLPBuffer buf); ++ + /*! @} */ + + #endif /* SLP_BUFFER_H_INCLUDED */ +diff -up openslp-2.0.0/slpd/slpd_process.c.orig openslp-2.0.0/slpd/slpd_process.c +--- openslp-2.0.0/slpd/slpd_process.c.orig 2019-12-09 10:39:16.420058789 +0100 ++++ openslp-2.0.0/slpd/slpd_process.c 2019-12-09 10:39:16.422058793 +0100 +@@ -523,13 +530,27 @@ RESPOND: + { + for (i = 0; i < db->urlcount; i++) + { +- /* urlentry is the url from the db result */ + urlentry = db->urlarray[i]; ++ if (urlentry->opaque != NULL) { ++ const int64_t newsize = size + urlentry->opaquelen; ++ if (urlentry->opaquelen <= 0 || newsize > INT_MAX) ++ { ++ SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n", ++ urlentry->opaquelen, size); ++ errorcode = SLP_ERROR_PARSE_ERROR; ++ goto FINISHED; ++ } ++ size += urlentry->opaquelen; ++ } ++ else ++ { ++ /* urlentry is the url from the db result */ ++ size += urlentry->urllen + 6; /* 1 byte for reserved */ ++ /* 2 bytes for lifetime */ ++ /* 2 bytes for urllen */ ++ /* 1 byte for authcount */ ++ } + +- size += urlentry->urllen + 6; /* 1 byte for reserved */ +- /* 2 bytes for lifetime */ +- /* 2 bytes for urllen */ +- /* 1 byte for authcount */ + #ifdef ENABLE_SLPv2_SECURITY + /* make room to include the authblock that was asked for */ + if (G_SlpdProperty.securityEnabled +@@ -603,7 +624,7 @@ RESPOND: + urlentry = db->urlarray[i]; + + #ifdef ENABLE_SLPv1 +- if (urlentry->opaque == 0) ++ if (urlentry->opaque == NULL) + { + /* url-entry reserved */ + *result->curpos++ = 0; +@@ -615,8 +636,18 @@ RESPOND: + PutUINT16(&result->curpos, urlentry->urllen); + + /* url-entry url */ +- memcpy(result->curpos, urlentry->url, urlentry->urllen); +- result->curpos += urlentry->urllen; ++ if (RemainingBufferSpace(result) >= urlentry->urllen) ++ { ++ memcpy(result->curpos, urlentry->url, urlentry->urllen); ++ result->curpos = result->curpos + urlentry->urllen; ++ } ++ else ++ { ++ SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n", ++ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result)); ++ errorcode = SLP_ERROR_PARSE_ERROR; ++ goto FINISHED; ++ } + + /* url-entry auths */ + *result->curpos++ = 0; +@@ -628,14 +659,24 @@ RESPOND: + + /* TRICKY: Fix up the lifetime. */ + TO_UINT16(urlentry->opaque + 1, urlentry->lifetime); +- memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen); +- +- /* TRICKY: Fix up the result authblock count. */ +- if (urlentry->authcount) +- result->curpos[1 + 2 + 2 + urlentry->urllen] = (uint8_t)urlentry->authcount; +- /* 1 reserved + 2 lifetime + 2 url length */ +- +- result->curpos += urlentry->opaquelen; ++ if (RemainingBufferSpace(result) >= urlentry->opaquelen) ++ { ++ memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen); ++ ++ /* TRICKY: Fix up the result authblock count. */ ++ if (urlentry->authcount) ++ result->curpos[1 + 2 + 2 + urlentry->urllen] = (uint8_t)urlentry->authcount; ++ /* 1 reserved + 2 lifetime + 2 url length */ ++ ++ result->curpos = result->curpos + urlentry->opaquelen; ++ } ++ else ++ { ++ SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n", ++ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result)); ++ errorcode = SLP_ERROR_PARSE_ERROR; ++ goto FINISHED; ++ } + } + } + } diff --git a/openslp.spec b/openslp.spec index e7c3a93..ad8f31c 100644 --- a/openslp.spec +++ b/openslp.spec @@ -1,6 +1,6 @@ Name: openslp Version: 2.0.0 -Release: 22 +Release: 23 Summary: Open-source inplementation of the IETF Service Location Protocol License: BSD URL: https://sourceforge.net/projects/openslp/ @@ -24,6 +24,7 @@ Patch6005: Fix-interface-parsing-code-to-look-for-null-ifc-addrs.patch Patch6006: Fix-broadcast-functionality.patch Patch6007: Properly-initialize-xcastsocks-for-error-exit.patch Patch6008: Fix-xrealloc-to-properly-free-original-pointer-on-resize.patch +Patch6009: CVE-2019-5544.patch BuildRequires: automake libtool bison flex openssl-devel systemd-units systemd-devel git @@ -125,7 +126,13 @@ rm -rf $RPM_BUILD_ROOT/usr/doc %{_mandir}/man8/slpd.* %changelog -* Mon Oct 21 2019 openEuler Buildteam - 1.0.6-18 +* Sat Jan 11 2020 zhangrui - 2.0.0-23 +- Type:cves +- ID:CVE-2019-5544 +- SUG:restart +- DESC: fix CVE-2019-5544 + +* Mon Oct 21 2019 openEuler Buildteam - 2.0.0-22 - Type:enhancement - Id:NA - SUG:NA