File libu2f-host-CVE-2018-20340.patch of Package libu2f-host

Overview Repositories Revisions Requests Users Attributes Meta

File libu2f-host-CVE-2018-20340.patch of Package libu2f-host

From e77a109f8cf60d9eafdf005ab5c851d5f576c01e Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Thu, 27 Dec 2018 09:48:43 +0100
Subject: [PATCH 2/5] lib: make sure that we don't copy in a to large initresp
 from device

reported by Christian Reitter
---
 u2f-host/devs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/u2f-host/devs.c b/u2f-host/devs.c
index 6f27c72..fdf1bf3 100644
--- a/u2f-host/devs.c
+++ b/u2f-host/devs.c
@@ -247,6 +247,10 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
        &resplen) == U2FH_OK)
     {
       U2FHID_INIT_RESP initresp;
+      if (resplen > sizeof (initresp))
+	{
+	  return U2FH_MEMORY_ERROR;
+	}
       memcpy (&initresp, resp, resplen);
       dev->cid = initresp.cid;
       dev->versionInterface = initresp.versionInterface;

From f526546bb29f2ef704ae9850f0f4b41fea7b62a4 Mon Sep 17 00:00:00 2001
From: Klas Lindfors <klas@yubico.com>
Date: Tue, 8 Jan 2019 10:09:28 +0100
Subject: [PATCH 3/5] lib: when receiving data, make sure to not copy one
 packet to much

this might lead to a 64 byte buffer-overflow
---
 u2f-host/u2fmisc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/u2f-host/u2fmisc.c b/u2f-host/u2fmisc.c
index 3d2c1e3..e40ca3d 100644
--- a/u2f-host/u2fmisc.c
+++ b/u2f-host/u2fmisc.c
@@ -312,6 +312,10 @@ u2fh_sendrecv (u2fh_devs * devs, unsigned index, uint8_t cmd,
 		     frame.cont.seq, sequence);
 	    return U2FH_TRANSPORT_ERROR;
 	  }
+	if (recvddata + sizeof (frame.cont.data) > maxlen)
+	  {
+	    return U2FH_TRANSPORT_ERROR;
+	  }
 	memcpy (recv + recvddata, frame.cont.data, sizeof (frame.cont.data));
 	recvddata += sizeof (frame.cont.data);
       }

Places

File libu2f-host-CVE-2018-20340.patch of Package libu2f-host

Places