File 0005-gweb-Fix-OOB-write-in-received_data.patch of Package connman

From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
From: Nathan Crandall <ncrandall@tesla.com>
Date: Tue, 12 Jul 2022 08:56:34 +0200
Subject: [PATCH 5/5] gweb: Fix OOB write in received_data()

There is a mismatch of handling binary vs. C-string data with memchr
and strlen, resulting in pos, count, and bytes_read to become out of
sync and result in a heap overflow.  Instead, do not treat the buffer
as an ASCII C-string. We calculate the count based on the return value
of memchr, instead of strlen.

Fixes: CVE-2022-32292
---
 gweb/gweb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/gweb/gweb.c
+++ b/gweb/gweb.c
@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel
 		}
 
 		*pos = '\0';
-		count = strlen((char *) ptr);
+		count = pos - ptr;
 		if (count > 0 && ptr[count - 1] == '\r') {
 			ptr[--count] = '\0';
 			bytes_read--;
openSUSE Build Service is sponsored by