diff options
| author | Robert Scott <code@humanleg.org.uk> | 2023-01-07 15:30:31 +0000 |
|---|---|---|
| committer | Robert Scott <code@humanleg.org.uk> | 2023-01-10 23:48:54 +0000 |
| commit | ca2b44568eb0ffbd0b5a22eb70feb6dbdcda8e9c (patch) | |
| tree | 5577092e806c8b349d6074581d9adbb3463cf85b | |
| parent | 48bd2d0ebf786ab6ec48557b04dca32cac7d4bc9 (diff) | |
pjsip: add patches for CVE-2022-23537 & CVE-2022-23547
3 files changed, 130 insertions, 0 deletions
diff --git a/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23537.patch b/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23537.patch new file mode 100644 index 000000000000..dfe023ff6833 --- /dev/null +++ b/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23537.patch @@ -0,0 +1,87 @@ +Based on upstream d8440f4d711a654b511f50f79c0445b26f9dd1e1 with +whitespace changes to allow it to apply to 1.12.1 + +diff --git a/pjnath/include/pjnath/stun_msg.h b/pjnath/include/pjnath/stun_msg.h +index 6b5fc0f21..e8f52db3c 100644 +--- a/pjnath/include/pjnath/stun_msg.h ++++ b/pjnath/include/pjnath/stun_msg.h +@@ -443,6 +443,7 @@ typedef enum pj_stun_status + + \endverbatim + */ ++#pragma pack(1) + typedef struct pj_stun_msg_hdr + { + /** +@@ -474,6 +475,7 @@ typedef struct pj_stun_msg_hdr + pj_uint8_t tsx_id[12]; + + } pj_stun_msg_hdr; ++#pragma pack() + + + /** +@@ -491,6 +493,7 @@ typedef struct pj_stun_msg_hdr + + \endverbatim + */ ++#pragma pack(1) + typedef struct pj_stun_attr_hdr + { + /** +@@ -507,6 +510,7 @@ typedef struct pj_stun_attr_hdr + pj_uint16_t length; + + } pj_stun_attr_hdr; ++#pragma pack() + + + /** +diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c +index bd83351e6..18b70cc22 100644 +--- a/pjnath/src/pjnath/stun_msg.c ++++ b/pjnath/src/pjnath/stun_msg.c +@@ -746,8 +746,8 @@ PJ_DEF(int) pj_stun_set_padding_char(int chr) + + + #define INIT_ATTR(a,t,l) (a)->hdr.type=(pj_uint16_t)(t), \ +- (a)->hdr.length=(pj_uint16_t)(l) +-#define ATTR_HDR_LEN 4 ++ (a)->hdr.length=(pj_uint16_t)(l) ++#define ATTR_HDR_LEN sizeof(pj_stun_attr_hdr) + + static pj_uint16_t GETVAL16H(const pj_uint8_t *buf, unsigned pos) + { +@@ -2328,6 +2328,14 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, + status = pj_stun_msg_check(pdu, pdu_len, options); + if (status != PJ_SUCCESS) + return status; ++ } else { ++ /* For safety, verify packet length at least */ ++ pj_uint32_t msg_len = GETVAL16H(pdu, 2) + 20; ++ if (msg_len > pdu_len || ++ ((options & PJ_STUN_IS_DATAGRAM) && msg_len != pdu_len)) ++ { ++ return PJNATH_EINSTUNMSGLEN; ++ } + } + + /* Create the message, copy the header, and convert to host byte order */ +@@ -2346,7 +2354,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, + p_response = NULL; + + /* Parse attributes */ +- while (pdu_len >= 4) { ++ while (pdu_len >= ATTR_HDR_LEN) { + unsigned attr_type, attr_val_len; + const struct attr_desc *adesc; + +@@ -2358,7 +2366,7 @@ PJ_DEF(pj_status_t) pj_stun_msg_decode(pj_pool_t *pool, + attr_val_len = (attr_val_len + 3) & (~3); + + /* Check length */ +- if (pdu_len < attr_val_len) { ++ if (pdu_len < attr_val_len + ATTR_HDR_LEN) { + pj_str_t err_msg; + char err_msg_buf[80]; + diff --git a/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch b/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch new file mode 100644 index 000000000000..8f7646822585 --- /dev/null +++ b/pkgs/applications/networking/pjsip/1.12.1-CVE-2022-23547.patch @@ -0,0 +1,41 @@ +Based on upstream bc4812d31a67d5e2f973fbfaf950d6118226cf36 with +whitespace changes to allow it to apply to 1.12.1 + +diff --git a/pjnath/src/pjnath/stun_msg.c b/pjnath/src/pjnath/stun_msg.c +index 18b70cc22..b6a6b3528 100644 +--- a/pjnath/src/pjnath/stun_msg.c ++++ b/pjnath/src/pjnath/stun_msg.c +@@ -1439,12 +1439,12 @@ static pj_status_t decode_uint_attr(pj_pool_t *pool, + attr = PJ_POOL_ZALLOC_T(pool, pj_stun_uint_attr); + GETATTRHDR(buf, &attr->hdr); + +- attr->value = GETVAL32H(buf, 4); +- + /* Check that the attribute length is valid */ + if (attr->hdr.length != 4) + return PJNATH_ESTUNINATTRLEN; + ++ attr->value = GETVAL32H(buf, 4); ++ + /* Done */ + *p_attr = attr; + +@@ -1758,14 +1758,15 @@ static pj_status_t decode_errcode_attr(pj_pool_t *pool, + attr = PJ_POOL_ZALLOC_T(pool, pj_stun_errcode_attr); + GETATTRHDR(buf, &attr->hdr); + ++ /* Check that the attribute length is valid */ ++ if (attr->hdr.length < 4) ++ return PJNATH_ESTUNINATTRLEN; ++ + attr->err_code = buf[6] * 100 + buf[7]; + + /* Get pointer to the string in the message */ + value.ptr = ((char*)buf + ATTR_HDR_LEN + 4); + value.slen = attr->hdr.length - 4; +- /* Make sure the length is never negative */ +- if (value.slen < 0) +- value.slen = 0; + + /* Copy the string to the attribute */ + pj_strdup(pool, &attr->reason, &value); diff --git a/pkgs/applications/networking/pjsip/default.nix b/pkgs/applications/networking/pjsip/default.nix index 2eafd0c05f7b..4711b47715d1 100644 --- a/pkgs/applications/networking/pjsip/default.nix +++ b/pkgs/applications/networking/pjsip/default.nix @@ -28,6 +28,8 @@ stdenv.mkDerivation rec { url = "https://github.com/pjsip/pjproject/commit/450baca94f475345542c6953832650c390889202.patch"; sha256 = "sha256-30kHrmB51UIw4x/J6/CD+vPKf/gBYDCcFoUpwEWkDMY="; }) + ./1.12.1-CVE-2022-23537.patch + ./1.12.1-CVE-2022-23547.patch ]; buildInputs = [ openssl libsamplerate ] |