diff --git a/SOURCES/bz1560467-1-totemcrypto-Check-length-of-the-packet.patch b/SOURCES/bz1560467-1-totemcrypto-Check-length-of-the-packet.patch new file mode 100644 index 0000000..d574436 --- /dev/null +++ b/SOURCES/bz1560467-1-totemcrypto-Check-length-of-the-packet.patch @@ -0,0 +1,48 @@ +From 3923de59d71ca6f5affa63a32c6eb688efed6356 Mon Sep 17 00:00:00 2001 +From: Jan Friesse +Date: Fri, 6 Apr 2018 14:43:02 +0200 +Subject: [PATCH] totemcrypto: Check length of the packet + +Packet has to be longer than crypto_config_header and hash_len, +otherwise unallocated memory is passed into calculate_nss_hash function, +what may result in crash. + +Signed-off-by: Jan Friesse +Reviewed-by: Raphael Sanchez Prudencio +Reviewed-by: Christine Caulfield +--- + exec/totemcrypto.c | 11 +++++++++++ + 1 files changed, 11 insertions(+), 0 deletions(-) + +diff --git a/exec/totemcrypto.c b/exec/totemcrypto.c +index 64246c9..88c68d1 100644 +--- a/exec/totemcrypto.c ++++ b/exec/totemcrypto.c +@@ -736,6 +736,11 @@ static int authenticate_nss_2_3 ( + unsigned char tmp_hash[hash_len[instance->crypto_hash_type]]; + int datalen = *buf_len - hash_len[instance->crypto_hash_type]; + ++ if (*buf_len <= hash_len[instance->crypto_hash_type]) { ++ log_printf(instance->log_level_security, "Received message is too short... ignoring"); ++ return -1; ++ } ++ + if (calculate_nss_hash(instance, buf, datalen, tmp_hash) < 0) { + return -1; + } +@@ -845,6 +850,12 @@ int crypto_authenticate_and_decrypt (struct crypto_instance *instance, + { + struct crypto_config_header *cch = (struct crypto_config_header *)buf; + ++ if (*buf_len <= sizeof(struct crypto_config_header)) { ++ log_printf(instance->log_level_security, "Received message is too short... ignoring"); ++ ++ return (-1); ++ } ++ + if (cch->crypto_cipher_type != CRYPTO_CIPHER_TYPE_2_3) { + log_printf(instance->log_level_security, + "Incoming packet has different crypto type. Rejecting"); +-- +1.7.1 + diff --git a/SPECS/corosync.spec b/SPECS/corosync.spec index c1add45..4c30c0f 100644 --- a/SPECS/corosync.spec +++ b/SPECS/corosync.spec @@ -24,7 +24,7 @@ Name: corosync Summary: The Corosync Cluster Engine and Application Programming Interfaces Version: 2.4.3 -Release: 2%{?gitver}%{?dist} +Release: 2%{?gitver}%{?dist}.1 License: BSD Group: System Environment/Base URL: http://corosync.github.io/corosync/ @@ -32,6 +32,7 @@ Source0: http://build.clusterlabs.org/corosync/releases/%{name}-%{version}%{?git Patch0: bz1536219-1-logging-Make-blackbox-configurable.patch Patch1: bz1536219-2-logging-Close-before-and-open-blackbox-after-fork.patch +Patch2: bz1560467-1-totemcrypto-Check-length-of-the-packet.patch %if 0%{?rhel} ExclusiveArch: i686 x86_64 s390x ppc64le @@ -91,6 +92,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) %setup -q -n %{name}-%{version}%{?gittarver} %patch0 -p1 -b .bz1536219-1 %patch1 -p1 -b .bz1536219-2 +%patch2 -p1 -b .bz1560467-1 %build %if %{with runautogen} @@ -522,6 +524,11 @@ fi %endif %changelog +* Fri Apr 06 2018 Jan Friesse 2.4.3-2.1 +- Resolves: rhbz#1560467 + +- totemcrypto: Check length of the packet + * Mon Feb 05 2018 Jan Friesse 2.4.3-2 - Resolves: rhbz#1536219