aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2017-07-16 16:23:09 +0200
committerGravatar Peter Korsgaard <peter@korsgaard.com>2017-07-19 20:35:05 +0200
commit718e6e94c17ee7937c8e411e39e8c0f4407e567f (patch)
treedc85889f6d07857cb39553d5bcc0960aa8637bc6
parentebc2dbc6b08d863b621b61fec9f39ed5e8a0c4f2 (diff)
downloadbuildroot-718e6e94c17ee7937c8e411e39e8c0f4407e567f.tar.gz
buildroot-718e6e94c17ee7937c8e411e39e8c0f4407e567f.tar.bz2
libosip2: add upstream security fix
Fixes CVE-2016-10324 - In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_clrncpy() function defined in osipparser2/osip_port.c. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit d8a806e2b81d6f76fa2636a554cd2fbf2fff38ef) Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
-rw-r--r--package/libosip2/0001-fix-bug-report-sr-109133-Heap-buffer-overflow-in-uti.patch30
1 files changed, 30 insertions, 0 deletions
diff --git a/package/libosip2/0001-fix-bug-report-sr-109133-Heap-buffer-overflow-in-uti.patch b/package/libosip2/0001-fix-bug-report-sr-109133-Heap-buffer-overflow-in-uti.patch
new file mode 100644
index 0000000000..7f2c2d46d2
--- /dev/null
+++ b/package/libosip2/0001-fix-bug-report-sr-109133-Heap-buffer-overflow-in-uti.patch
@@ -0,0 +1,30 @@
+From 7e0793e15e21f68337e130c67b031ca38edf055f Mon Sep 17 00:00:00 2001
+From: Aymeric Moizard <amoizard@gmail.com>
+Date: Mon, 5 Sep 2016 15:01:53 +0200
+Subject: [PATCH] * fix bug report: sr #109133: Heap buffer overflow in
+ utility function *osip_clrncpy* https://savannah.gnu.org/support/?109133
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/osipparser2/osip_port.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/osipparser2/osip_port.c b/src/osipparser2/osip_port.c
+index 0e64147..d8941b0 100644
+--- a/src/osipparser2/osip_port.c
++++ b/src/osipparser2/osip_port.c
+@@ -1291,8 +1291,10 @@ osip_clrncpy (char *dst, const char *src, size_t len)
+ char *p;
+ size_t spaceless_length;
+
+- if (src == NULL)
++ if (src == NULL || len == 0) {
++ *dst = '\0';
+ return NULL;
++ }
+
+ /* find the start of relevant text */
+ pbeg = src;
+--
+2.11.0
+