packages/librabbitmq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2019-18609

Browse Source
This commit is contained in:
zhanghua1831 2020-09-16 15:31:09 +08:00
parent 13455aa4cd
commit acfe72424e
2 changed files with 52 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
CVE-2019-18609.patch Normal file
View File

@ -0,0 +1,47 @@
From fc85be7123050b91b054e45b91c78d3241a5047a Mon Sep 17 00:00:00 2001
From: Alan Antonuk <alan.antonuk@gmail.com>
Date: Sun, 3 Nov 2019 23:50:07 -0800
Subject: [PATCH] lib: check frame_size is >= INT32_MAX
When parsing a frame header, validate that the frame_size is less than
or equal to INT32_MAX. Given frame_max is limited between 0 and
INT32_MAX in amqp_login and friends, this does not change the API.
This prevents a potential buffer overflow when a malicious client sends
a frame_size that is close to UINT32_MAX, in which causes an overflow
when computing state->target_size resulting in a small value there. A
buffer is then allocated with the small amount, then memcopy copies the
frame_size writing to memory beyond the end of the buffer.
---
librabbitmq/amqp_connection.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/librabbitmq/amqp_connection.c b/librabbitmq/amqp_connection.c
index 034b2e96..b106f70a 100644
--- a/librabbitmq/amqp_connection.c
+++ b/librabbitmq/amqp_connection.c
@@ -287,12 +287,21 @@ int amqp_handle_input(amqp_connection_state_t state, amqp_bytes_t received_data,
case CONNECTION_STATE_HEADER: {
amqp_channel_t channel;
amqp_pool_t *channel_pool;
- /* frame length is 3 bytes in */
+ uint32_t frame_size;
+
channel = amqp_d16(amqp_offset(raw_frame, 1));
- state->target_size =
- amqp_d32(amqp_offset(raw_frame, 3)) + HEADER_SIZE + FOOTER_SIZE;
+ /* frame length is 3 bytes in */
+ frame_size = amqp_d32(amqp_offset(raw_frame, 3));
+ /* To prevent the target_size calculation below from overflowing, check
+ * that the stated frame_size is smaller than a signed 32-bit. Given
+ * the library only allows configuring frame_max as an int32_t, and
+ * frame_size is uint32_t, the math below is safe from overflow. */
+ if (frame_size >= INT32_MAX) {
+ return AMQP_STATUS_BAD_AMQP_DATA;
+ }
+ state->target_size = frame_size + HEADER_SIZE + FOOTER_SIZE;
if ((size_t)state->frame_max < state->target_size) {
return AMQP_STATUS_BAD_AMQP_DATA;
}

6
librabbitmq.spec
View File

@ -4,12 +4,13 @@
Name: librabbitmq Name: librabbitmq
Version: 0.9.0 Version: 0.9.0
Release: 3 Release: 4
Summary: The AMQP client library Summary: The AMQP client library
License: MIT License: MIT
URL: https://github.com/alanxz/rabbitmq-c URL: https://github.com/alanxz/rabbitmq-c
Source0: https://github.com/alanxz/%{project_name}/archive/%{git_commit}/%{project_name}-%{version}-%{git_short_commit}.tar.gz Source0: https://github.com/alanxz/%{project_name}/archive/%{git_commit}/%{project_name}-%{version}-%{git_short_commit}.tar.gz
Patch0000: CVE-2019-18609.patch
BuildRequires: cmake > 2.8 BuildRequires: cmake > 2.8
BuildRequires: popt-devel > 1.14 BuildRequires: popt-devel > 1.14
@ -66,5 +67,8 @@ make test
%changelog %changelog
* Wed Sep 16 2020 zhanghua <zhanghua40@huawei.com> - 0.9.0-4
- Fix CVE-2019-18609
* Sat Dec 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.9.0-3 * Sat Dec 14 2019 openEuler Buildteam <buildteam@openeuler.org> - 0.9.0-3
- Package init - Package init