mirror of
https://github.com/openwrt/packages.git
synced 2025-12-21 19:14:30 +04:00
074e63a653
More information can be found in - https://www.openwall.com/lists/oss-security/2024/11/12/11 - https://gitlab.gnome.org/GNOME/glib/-/merge_requests/4281 Signed-off-by: Wei-Ting Yang <williamatcg@gmail.com>
35 lines
1.4 KiB
Diff
35 lines
1.4 KiB
Diff
From: Michael Catanzaro <mcatanzaro@redhat.com>
|
|
Date: Thu, 19 Sep 2024 18:35:53 +0100
|
|
Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect
|
|
messages
|
|
|
|
`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
|
|
byte in the connect message, which is an addition in SOCKSv4a vs
|
|
SOCKSv4.
|
|
|
|
This means that the buffer for building and transmitting the connect
|
|
message could be overflowed if the username and hostname are both
|
|
`SOCKS4_MAX_LEN` (255) bytes long.
|
|
|
|
Proxy configurations are normally statically configured, so the username
|
|
is very unlikely to be near its maximum length, and hence this overflow
|
|
is unlikely to be triggered in practice.
|
|
|
|
(Commit message by Philip Withnall, diagnosis and fix by Michael
|
|
Catanzaro.)
|
|
|
|
--- a/gio/gsocks4aproxy.c
|
|
+++ b/gio/gsocks4aproxy.c
|
|
@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *pro
|
|
* +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
|
|
* | VN | CD | DSTPORT | DSTIP | USERID |NULL| HOST | | NULL |
|
|
* +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
|
|
- * 1 1 2 4 variable 1 variable
|
|
+ * 1 1 2 4 variable 1 variable 1
|
|
*/
|
|
-#define SOCKS4_CONN_MSG_LEN (9 + SOCKS4_MAX_LEN * 2)
|
|
+#define SOCKS4_CONN_MSG_LEN (10 + SOCKS4_MAX_LEN * 2)
|
|
static gint
|
|
set_connect_msg (guint8 *msg,
|
|
const gchar *hostname,
|