rpms / librabbitmq

Clone
Source Code
GIT

Blame SOURCES/rabbitmq-c-0.9.0-CVE-2019-18609.patch

c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   8d6af64c0bb2a4e61c636b6b796821f1ceb24492
  2.   SOURCES
  3.   rabbitmq-c-0.9.0-CVE-2019-18609.patch
Blob History Raw
8d6af6 
diff -up rabbitmq-c-0.9.0/librabbitmq/amqp_connection.c.CVE-2019-18609 rabbitmq-c-0.9.0/librabbitmq/amqp_connection.c
8d6af6 
--- rabbitmq-c-0.9.0/librabbitmq/amqp_connection.c.CVE-2019-18609	2020-04-06 15:10:07.002386201 +0200
8d6af6 
+++ rabbitmq-c-0.9.0/librabbitmq/amqp_connection.c	2020-04-06 15:17:03.624425371 +0200
8d6af6 
@@ -287,12 +287,21 @@ int amqp_handle_input(amqp_connection_st
8d6af6 
     case CONNECTION_STATE_HEADER: {
8d6af6 
       amqp_channel_t channel;
8d6af6 
       amqp_pool_t *channel_pool;
8d6af6 
-      /* frame length is 3 bytes in */
8d6af6 
+      uint32_t frame_size;
8d6af6 
+
8d6af6 
       channel = amqp_d16(amqp_offset(raw_frame, 1));
8d6af6
8d6af6 
-      state->target_size =
8d6af6 
-          amqp_d32(amqp_offset(raw_frame, 3)) + HEADER_SIZE + FOOTER_SIZE;
8d6af6 
+      /* frame length is 3 bytes in */
8d6af6 
+      frame_size = amqp_d32(amqp_offset(raw_frame, 3));
8d6af6 
+      /* To prevent the target_size calculation below from overflowing, check
8d6af6 
+       * that the stated frame_size is smaller than a signed 32-bit. Given
8d6af6 
+       * the library only allows configuring frame_max as an int32_t, and
8d6af6 
+       * frame_size is uint32_t, the math below is safe from overflow. */
8d6af6 
+      if (frame_size >= INT32_MAX) {
8d6af6 
+        return AMQP_STATUS_BAD_AMQP_DATA;
8d6af6 
+      }
8d6af6
8d6af6 
+      state->target_size = frame_size + HEADER_SIZE + FOOTER_SIZE;
8d6af6 
       if ((size_t)state->frame_max < state->target_size) {
8d6af6 
         return AMQP_STATUS_BAD_AMQP_DATA;
8d6af6 
       }

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation