diff options
| author | Nathan Crandall <ncrandall@tesla.com> | 2022-07-12 08:56:34 +0200 |
|---|---|---|
| committer | Daniel Wagner <wagi@monom.org> | 2022-08-01 08:41:03 +0200 |
| commit | d1a5ede5d255bde8ef707f8441b997563b9312bd (patch) | |
| tree | 413e87d77c0de0d6b136d9928e8c5a8572c769a2 | |
| parent | 416bfaff988882c553c672e5bfc2d4f648d29e8a (diff) | |
| download | connman-d1a5ede5d255bde8ef707f8441b997563b9312bd.tar.gz | |
gweb: Fix OOB write in received_data()
There is a mismatch of handling binary vs. C-string data with memchr
and strlen, resulting in pos, count, and bytes_read to become out of
sync and result in a heap overflow. Instead, do not treat the buffer
as an ASCII C-string. We calculate the count based on the return value
of memchr, instead of strlen.
Fixes: CVE-2022-32292
| -rw-r--r-- | gweb/gweb.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gweb/gweb.c b/gweb/gweb.c index 12fcb1d8..13c6c5f2 100644 --- a/gweb/gweb.c +++ b/gweb/gweb.c @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, } *pos = '\0'; - count = strlen((char *) ptr); + count = pos - ptr; if (count > 0 && ptr[count - 1] == '\r') { ptr[--count] = '\0'; bytes_read--; |