Google Git
Sign in
chromium / chromiumos / overlays / portage-stable / refs/heads/stabilize-14150.883.B^! / .
commite563726580312b5a46c931658b27e3ec1bf8005d[log] [tgz]
authorRaju Konduru <rkonduru@google.com>Fri Oct 14 02:32:30 2022
committerChromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com>Wed Oct 19 03:09:25 2022
tree228b9b759c836aa39f14aa7a1f87ad4bc921987a
parentf31c46661743d9dbf6e950d869c56858c576a885 [diff]
upnp_event_prepare(): check the return value of snprintf()

Upstream fix for 'read out-of-bounds vulnerability' which was caused due
to lack of validating snprintf().

BUG=b:251174336
TEST=Compile and verify with miniupnpd_poc.py on mistral
Logs without fix
2022-10-18T18:31:06.697446Z INFO miniupnpd[3160]: HTTP REQUEST : SUBSCRIBE /evt/L3F (HTTP/1.1)
2022-10-18T18:31:06.749677Z NOTICE miniupnpd[3160]: upnp_event_send: 28960 bytes send out of 1049581
2022-10-18T18:31:06.751622Z NOTICE miniupnpd[3160]: upnp_event_send: 65160 bytes send out of 1020621
2022-10-18T18:31:06.758448Z NOTICE miniupnpd[3160]: upnp_event_send: 50680 bytes send out of 955461
2022-10-18T18:31:06.932178Z WARNING crash_reporter[8007]: [user] Received crash notification for miniupnpd[3160] sig 11, user 1105 group 1105 (handling)

Logs with fix
2022-10-18T18:47:48.934511Z INFO miniupnpd[3169]: HTTP REQUEST : SUBSCRIBE /evt/L3F (HTTP/1.1)
2022-10-18T18:47:48.992672Z NOTICE miniupnpd[3169]: upnp_event_send: 28960 bytes send out of 1049581
2022-10-18T18:47:48.998855Z NOTICE miniupnpd[3169]: upnp_event_send: 83984 bytes send out of 1020621
...
2022-10-18T18:48:09.513467Z NOTICE miniupnpd[3169]: upnp_event_send: 39096 bytes send out of 121413
2022-10-18T18:48:11.475740Z NOTICE miniupnpd[3169]: upnp_event_send: 34752 bytes send out of 82317
2022-10-18T18:48:13.275649Z NOTICE miniupnpd[3169]: upnp_event_send: 34752 bytes send out of 47565

Change-Id: I6a35430df984dc33ab52ffd509efe95a0b1facb9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/portage-stable/+/3964968
Tested-by: Raju Konduru <rkonduru@google.com>
Reviewed-by: Kishan Kunduru <kkunduru@chromium.org>
Reviewed-by: Tao Jin <jintao@google.com>
Commit-Queue: Raju Konduru <rkonduru@google.com>
Reviewed-by: Kevin Hayes <kevinhayes@google.com>

diff --git a/net-misc/miniupnpd/files/miniupnpd-1.10-UPSTREAM-upnp_event_prepare-check-the-return-value-of-snprint.patch b/net-misc/miniupnpd/files/miniupnpd-1.10-UPSTREAM-upnp_event_prepare-check-the-return-value-of-snprint.patch
new file mode 100644
index 0000000..750405b
--- /dev/null
+++ b/net-misc/miniupnpd/files/miniupnpd-1.10-UPSTREAM-upnp_event_prepare-check-the-return-value-of-snprint.patch

@@ -0,0 +1,62 @@
+From bec6ccec63cadc95655721bc0e1dd49dac759d94 Mon Sep 17 00:00:00 2001
+From: Thomas Bernard <miniupnp@free.fr>
+Date: Tue, 18 Dec 2018 22:37:14 +0100
+Subject: [PATCH] upnp_event_prepare(): check the return value of snprintf()
+
+---
+ miniupnpd/upnpevents.c | 37 ++++++++++++++++++++++++++-----------
+ 1 file changed, 26 insertions(+), 11 deletions(-)
+
+diff --git a/upnpevents.c b/upnpevents.c
+index d96bccb..3bc402f 100644
+--- a/upnpevents.c
++++ b/upnpevents.c
+@@ -443,19 +443,34 @@ static void upnp_event_prepare(struct upnp_event_notify * obj)
+ 		l = 0;
+ 	}
+ 	obj->buffersize = 1024;
+-	obj->buffer = malloc(obj->buffersize);
+-	if(!obj->buffer) {
+-		syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
+-		if(xml) {
+-			free(xml);
++	for (;;) {
++		obj->buffer = malloc(obj->buffersize);
++		if(!obj->buffer) {
++			syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare");
++			if(xml) {
++				free(xml);
++			}
++			obj->state = EError;
++			return;
+ 		}
+-		obj->state = EError;
+-		return;
++		obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
++		                       obj->path, obj->addrstr, obj->portstr, l+2,
++		                       obj->sub->uuid, obj->sub->seq,
++		                       l, xml);
++		if (obj->tosend < 0) {
++			syslog(LOG_ERR, "%s: snprintf() failed", "upnp_event_prepare");
++			if(xml) {
++				free(xml);
++			}
++			obj->state = EError;
++			return;
++		} else if (obj->tosend < obj->buffersize) {
++			break; /* the buffer was large enough */
++		}
++		/* Try again with a buffer big enough */
++		free(obj->buffer);
++		obj->buffersize = obj->tosend + 1;	/* reserve space for the final 0 */
+ 	}
+-	obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg,
+-	                       obj->path, obj->addrstr, obj->portstr, l+2,
+-	                       obj->sub->uuid, obj->sub->seq,
+-	                       l, xml);
+ 	if(xml) {
+ 		free(xml);
+ 		xml = NULL;
+-- 
+2.38.0.rc1.362.ged0d419d3c-goog
+

diff --git a/net-misc/miniupnpd/miniupnpd-1.12_pre20141209-r1.ebuild b/net-misc/miniupnpd/miniupnpd-1.12_pre20141209-r1.ebuild
new file mode 120000
index 0000000..8be676c
--- /dev/null
+++ b/net-misc/miniupnpd/miniupnpd-1.12_pre20141209-r1.ebuild

@@ -0,0 +1 @@
+miniupnpd-1.12_pre20141209.ebuild
\ No newline at end of file

diff --git a/net-misc/miniupnpd/miniupnpd-1.12_pre20141209.ebuild b/net-misc/miniupnpd/miniupnpd-1.12_pre20141209.ebuild
index 3cf97e1..869df3a 100644
--- a/net-misc/miniupnpd/miniupnpd-1.12_pre20141209.ebuild
+++ b/net-misc/miniupnpd/miniupnpd-1.12_pre20141209.ebuild

@@ -31,6 +31,7 @@
 	if use igdv2; then
 		epatch "${FILESDIR}"/${PN}-1.10-UPSTREAM-advertise-correct-service-and-device-versions-when-I.patch
 	fi
+	epatch "${FILESDIR}"/${PN}-1.10-UPSTREAM-upnp_event_prepare-check-the-return-value-of-snprint.patch
 	mv Makefile.linux Makefile || die
 }