Unverified Commit 81e2cbf1 authored by nicoo's avatar nicoo

Backport patch for CVE-2018-20340

parent 3dfcdf23
Subject: Fix CVE-2018-20340
Origin: upstream, https://github.com/Yubico/libu2f-host/commit/4d490bb2c528c351e32837fcdaebd998eb5d3f27
Bug-Debian: https://bugs.debian.org/921725
From: Klas Lindfors <klas@yubico.com>
Reviewed-by: Nicolas Braud-Santoni <nicoo@debian.org>
Last-Update: 2019-02-08
Applied-Upstream: yes
---
u2f-host/devs.c | 5 +++++
u2f-host/u2fmisc.c | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/u2f-host/devs.c b/u2f-host/devs.c
index 6f27c72..0c50882 100644
--- a/u2f-host/devs.c
+++ b/u2f-host/devs.c
@@ -247,6 +247,11 @@ init_device (u2fh_devs * devs, struct u2fdevice *dev)
&resplen) == U2FH_OK)
{
U2FHID_INIT_RESP initresp;
+ if (resplen > sizeof (initresp))
+ {
+ return U2FH_MEMORY_ERROR;
+ }
+
memcpy (&initresp, resp, resplen);
dev->cid = initresp.cid;
dev->versionInterface = initresp.versionInterface;
diff --git a/u2f-host/u2fmisc.c b/u2f-host/u2fmisc.c
index 0be1adc..e17a6c3 100644
--- a/u2f-host/u2fmisc.c
+++ b/u2f-host/u2fmisc.c
@@ -306,6 +306,11 @@ u2fh_sendrecv (u2fh_devs * devs, unsigned index, uint8_t cmd,
frame.cont.seq, sequence);
return U2FH_TRANSPORT_ERROR;
}
+
+ if (recvddata + sizeof (frame.cont.data) > maxlen)
+ {
+ return U2FH_TRANSPORT_ERROR;
+ }
memcpy (recv + recvddata, frame.cont.data, sizeof (frame.cont.data));
recvddata += sizeof (frame.cont.data);
}
Fix-CVE-2018-20340.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment