diff options
Diffstat (limited to 'nixpkgs/pkgs/development/libraries/openslp')
3 files changed, 216 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/development/libraries/openslp/CVE-2016-4912.patch b/nixpkgs/pkgs/development/libraries/openslp/CVE-2016-4912.patch new file mode 100644 index 000000000000..06223deda89b --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openslp/CVE-2016-4912.patch @@ -0,0 +1,11 @@ +--- a/common/slp_xmalloc.c ++++ b/common/slp_xmalloc.c +@@ -206,7 +206,7 @@ void * _xrealloc(const char * file, int line, void * ptr, size_t size) + if (newptr == 0) + return 0; + memcpy(newptr, ptr, x->size); +- _xfree(file, line, x); ++ _xfree(file, line, ptr); + } + return newptr; + } diff --git a/nixpkgs/pkgs/development/libraries/openslp/CVE-2019-5544.patch b/nixpkgs/pkgs/development/libraries/openslp/CVE-2019-5544.patch new file mode 100644 index 000000000000..2afc0aed3302 --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openslp/CVE-2019-5544.patch @@ -0,0 +1,165 @@ +diff -ur openslp-2.0.0.orig/common/slp_buffer.c openslp-2.0.0/common/slp_buffer.c +--- openslp-2.0.0.orig/common/slp_buffer.c 2012-12-10 15:31:53.000000000 -0800 ++++ openslp-2.0.0/common/slp_buffer.c 2019-11-26 21:54:20.000000000 -0800 +@@ -30,6 +30,13 @@ + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + *-------------------------------------------------------------------------*/ + ++/* Copyright (c) 2019 VMware, Inc. ++ * SPDX-License-Identifier: BSD-3-Clause ++ * This file is provided under the BSD-3-Clause license. ++ * See COPYING file for more details and other copyrights ++ * that may apply. ++ */ ++ + /** Functions for managing SLP message buffers. + * + * This file provides a higher level abstraction over malloc and free that +@@ -153,4 +160,20 @@ + xfree(buf); + } + ++/** Report remaining free buffer size in bytes. ++ * ++ * Check if buffer is allocated and if so return bytes left in a ++ * @c SLPBuffer object. ++ * ++ * @param[in] buf The SLPBuffer to be freed. ++ */ ++size_t ++RemainingBufferSpace(SLPBuffer buf) ++{ ++ if (buf->allocated == 0) { ++ return 0; ++ } ++ return buf->end - buf->curpos; ++} ++ + /*=========================================================================*/ +diff -ur openslp-2.0.0.orig/common/slp_buffer.h openslp-2.0.0/common/slp_buffer.h +--- openslp-2.0.0.orig/common/slp_buffer.h 2012-11-28 09:07:04.000000000 -0800 ++++ openslp-2.0.0/common/slp_buffer.h 2019-11-26 21:54:32.000000000 -0800 +@@ -30,6 +30,13 @@ + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + *-------------------------------------------------------------------------*/ + ++/* Copyright (c) 2019 VMware, Inc. ++ * SPDX-License-Identifier: BSD-3-Clause ++ * This file is provided under the BSD-3-Clause license. ++ * See COPYING file for more details and other copyrights ++ * that may apply. ++ */ ++ + /** Header file that defines SLP message buffer management routines. + * + * Includes structures, constants and functions that used to handle memory +@@ -78,6 +85,8 @@ + + SLPBuffer SLPBufferListAdd(SLPBuffer * list, SLPBuffer buf); + ++size_t RemainingBufferSpace(SLPBuffer buf); ++ + /*! @} */ + + #endif /* SLP_BUFFER_H_INCLUDED */ +diff -ur openslp-2.0.0.orig/slpd/slpd_process.c openslp-2.0.0/slpd/slpd_process.c +--- openslp-2.0.0.orig/slpd/slpd_process.c 2012-12-12 09:38:54.000000000 -0800 ++++ openslp-2.0.0/slpd/slpd_process.c 2019-11-26 21:55:10.000000000 -0800 +@@ -30,6 +30,13 @@ + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + *-------------------------------------------------------------------------*/ + ++/* Copyright (c) 2019 VMware, Inc. ++ * SPDX-License-Identifier: BSD-3-Clause ++ * This file is provided under the BSD-3-Clause license. ++ * See COPYING file for more details and other copyrights ++ * that may apply. ++ */ ++ + /** Processes incoming SLP messages. + * + * @file slpd_process.c +@@ -514,13 +521,27 @@ + { + for (i = 0; i < db->urlcount; i++) + { +- /* urlentry is the url from the db result */ + urlentry = db->urlarray[i]; ++ if (urlentry->opaque != NULL) { ++ const int64_t newsize = size + urlentry->opaquelen; ++ if (urlentry->opaquelen <= 0 || newsize > INT_MAX) ++ { ++ SLPDLog("Invalid opaquelen %d or sizeo of opaque url is too big, size=%d\n", ++ urlentry->opaquelen, size); ++ errorcode = SLP_ERROR_PARSE_ERROR; ++ goto FINISHED; ++ } ++ size += urlentry->opaquelen; ++ } ++ else ++ { ++ /* urlentry is the url from the db result */ ++ size += urlentry->urllen + 6; /* 1 byte for reserved */ ++ /* 2 bytes for lifetime */ ++ /* 2 bytes for urllen */ ++ /* 1 byte for authcount */ ++ } + +- size += urlentry->urllen + 6; /* 1 byte for reserved */ +- /* 2 bytes for lifetime */ +- /* 2 bytes for urllen */ +- /* 1 byte for authcount */ + #ifdef ENABLE_SLPv2_SECURITY + /* make room to include the authblock that was asked for */ + if (G_SlpdProperty.securityEnabled +@@ -594,7 +615,7 @@ + urlentry = db->urlarray[i]; + + #ifdef ENABLE_SLPv1 +- if (urlentry->opaque == 0) ++ if (urlentry->opaque == NULL) + { + /* url-entry reserved */ + *result->curpos++ = 0; +@@ -606,8 +627,18 @@ + PutUINT16(&result->curpos, urlentry->urllen); + + /* url-entry url */ +- memcpy(result->curpos, urlentry->url, urlentry->urllen); +- result->curpos += urlentry->urllen; ++ if (RemainingBufferSpace(result) >= urlentry->urllen) ++ { ++ memcpy(result->curpos, urlentry->url, urlentry->urllen); ++ result->curpos = result->curpos + urlentry->urllen; ++ } ++ else ++ { ++ SLPDLog("Url too big (ask: %d have %" PRId64 "), failing request\n", ++ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result)); ++ errorcode = SLP_ERROR_PARSE_ERROR; ++ goto FINISHED; ++ } + + /* url-entry auths */ + *result->curpos++ = 0; +@@ -621,8 +652,18 @@ + + /* TRICKY: Fix up the lifetime. */ + TO_UINT16(urlentry->opaque + 1, urlentry->lifetime); +- memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen); +- result->curpos += urlentry->opaquelen; ++ if (RemainingBufferSpace(result) >= urlentry->opaquelen) ++ { ++ memcpy(result->curpos, urlentry->opaque, urlentry->opaquelen); ++ result->curpos = result->curpos + urlentry->opaquelen; ++ } ++ else ++ { ++ SLPDLog("Opaque Url too big (ask: %d have %" PRId64 "), failing request\n", ++ urlentry->opaquelen, (int64_t) RemainingBufferSpace(result)); ++ errorcode = SLP_ERROR_PARSE_ERROR; ++ goto FINISHED; ++ } + } + } + } diff --git a/nixpkgs/pkgs/development/libraries/openslp/default.nix b/nixpkgs/pkgs/development/libraries/openslp/default.nix new file mode 100644 index 000000000000..6e03138adfae --- /dev/null +++ b/nixpkgs/pkgs/development/libraries/openslp/default.nix @@ -0,0 +1,40 @@ +{ lib, stdenv, fetchurl, fetchpatch }: + +stdenv.mkDerivation rec { + pname = "openslp"; + version = "2.0.0"; + + src = fetchurl { + url = "mirror://sourceforge/openslp/${version}/${version}/openslp-${version}.tar.gz"; + sha256 = "16splwmqp0400w56297fkipaq9vlbhv7hapap8z09gp5m2i3fhwj"; + }; + + patches = [ + (fetchpatch { + name = "openslp-2.0.0-null-pointer-deref.patch"; + url = "https://src.fedoraproject.org/rpms/openslp/raw/696fd55ae4fcea7beda0a25131dca8bfb14bbdf9/f/openslp-2.0.0-null-pointer-deref.patch"; + sha256 = "186f3rj3z2lf5h1lpbhqk0szj2a9far1p3mjqg6422f29yjfnz6a"; + }) + (fetchpatch { + name = "openslp-2.0.0-CVE-2016-7567.patch"; + url = "https://src.fedoraproject.org/rpms/openslp/raw/696fd55ae4fcea7beda0a25131dca8bfb14bbdf9/f/openslp-2.0.0-cve-2016-7567.patch"; + sha256 = "0zp61axx93b7nrbsyhn2x4dnw7n9y6g4rys21hyqxk4khrnc2yr9"; + }) + ./CVE-2016-4912.patch + ./CVE-2019-5544.patch + ]; + + meta = with lib; { + homepage = "http://www.openslp.org/"; + description = "An open-source implementation of the IETF Service Location Protocol"; + maintainers = with maintainers; [ ttuegel ]; + license = licenses.bsd3; + platforms = platforms.all; + # never built on aarch64-darwin since first introduction in nixpkgs + broken = stdenv.isDarwin && stdenv.isAarch64; + knownVulnerabilities = [ + "CVE-2023-29552: UDP Reflection Attack with ampliciation factor of up to 2200" + ]; + }; + +} |