diff options
Diffstat (limited to 'patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff')
-rw-r--r-- | patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff new file mode 100644 index 00000000..37b97c74 --- /dev/null +++ b/patches/source/gnutls/gnutls-2.8.6_CVE-2014-3469.diff @@ -0,0 +1,122 @@ +From b2477c9d1d2b550abade87651382880d370d2803 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Mon, 2 Jun 2014 +Subject: CVE-2014-3469 + +This is a backport adaptation for use with GnuTLS 2.8.6. + +Relevant upstream commit(s): +------------------------- +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=a8b3e14f84174e +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=3d6a02f19ff15a +http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=53958290ab731c + +--- + lib/minitasn1/decoding.c | 11 ++++++++--- + lib/minitasn1/element.c | 27 ++++++++++++++++++--------- + 2 files changed, 26 insertions(+), 12 deletions(-) + +--- a/lib/minitasn1/decoding.c ++++ b/lib/minitasn1/decoding.c +@@ -215,7 +215,6 @@ asn1_get_octet_der (const unsigned char + if (der_len <= 0) + return ASN1_GENERIC_ERROR; + +- /* if(str==NULL) return ASN1_SUCCESS; */ + *str_len = asn1_get_length_der (der, der_len, &len_len); + + if (*str_len < 0) +@@ -223,7 +222,10 @@ asn1_get_octet_der (const unsigned char + + *ret_len = *str_len + len_len; + if (str_size >= *str_len) +- memcpy (str, der + len_len, *str_len); ++ { ++ if (*str_len > 0 && str != NULL) ++ memcpy (str, der + len_len, *str_len); ++ } + else + { + return ASN1_MEM_ERROR; +@@ -350,7 +352,10 @@ asn1_get_bit_der (const unsigned char *d + return ASN1_DER_ERROR; + + if (str_size >= len_byte) +- memcpy (str, der + len_len + 1, len_byte); ++ { ++ if (len_byte > 0 && str) ++ memcpy (str, der + len_len + 1, len_byte); ++ } + else + { + return ASN1_MEM_ERROR; +--- a/lib/minitasn1/element.c ++++ b/lib/minitasn1/element.c +@@ -113,8 +113,11 @@ _asn1_convert_integer (const unsigned ch + /* VALUE_OUT is too short to contain the value conversion */ + return ASN1_MEM_ERROR; + +- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) +- value_out[k2 - k] = val[k2]; ++ if (value_out != NULL) ++ { ++ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) ++ value_out[k2 - k] = val[k2]; ++ } + + #if 0 + printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); +@@ -623,7 +626,8 @@ asn1_write_value (asn1_node node_root, c + if (ptr_size < data_size) { \ + return ASN1_MEM_ERROR; \ + } else { \ +- memcpy( ptr, data, data_size); \ ++ if (ptr && data_size > 0) \ ++ memcpy( ptr, data, data_size); \ + } + + #define PUT_STR_VALUE( ptr, ptr_size, data) \ +@@ -632,16 +626,19 @@ asn1_write_value (asn1_node node_root, c + return ASN1_MEM_ERROR; \ + } else { \ + /* this strcpy is checked */ \ +- strcpy(ptr, data); \ ++ if (ptr) { \ ++ strcpy(ptr, data); \ ++ } \ + } + + #define ADD_STR_VALUE( ptr, ptr_size, data) \ +- *len = (int) strlen(data) + 1; \ +- if (ptr_size < (int) strlen(ptr)+(*len)) { \ ++ *len += strlen(data); \ ++ if (ptr_size < (int) *len) { \ ++ (*len)++; \ + return ASN1_MEM_ERROR; \ + } else { \ + /* this strcat is checked */ \ +- strcat(ptr, data); \ ++ if (ptr) strcat (ptr, data); \ + } + + /** +@@ -803,7 +810,9 @@ asn1_read_value (asn1_node root, const c + case TYPE_OBJECT_ID: + if (node->type & CONST_ASSIGN) + { +- value[0] = 0; ++ *len = 0; ++ if (value) ++ value[0] = 0; + p = node->down; + while (p) + { +@@ -817,7 +826,7 @@ asn1_read_value (asn1_node root, const c + } + p = p->right; + } +- *len = strlen (value) + 1; ++ (*len)++; + } + else if ((node->type & CONST_DEFAULT) && (node->value == NULL)) + { |