[Buildroot] [PATCH 1/1] package/rtl_433: fix CVE-2022-25051

Yann E. MORIN yann.morin.1998 at free.fr
Fri Mar 18 22:13:31 UTC 2022 

Fabrice, All,

On 2022-03-17 22:42 +0100, Fabrice Fontaine spake thusly:
> An Off-by-one Error occurs in cmr113_decode of rtl_433 21.12 when
> decoding a crafted file.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...low-in-Clipsal-CMR113-and-Somfy-IOHC.patch | 58 +++++++++++++++++++
>  package/rtl_433/rtl_433.mk                    |  3 +
>  2 files changed, 61 insertions(+)
>  create mode 100644 package/rtl_433/0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch
> 
> diff --git a/package/rtl_433/0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch b/package/rtl_433/0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch
> new file mode 100644
> index 0000000000..e2088b29e7
> --- /dev/null
> +++ b/package/rtl_433/0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch
> @@ -0,0 +1,58 @@
> +From 2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8 Mon Sep 17 00:00:00 2001
> +From: "Christian W. Zuckschwerdt" <christian at zuckschwerdt.org>
> +Date: Mon, 24 Jan 2022 15:53:20 +0100
> +Subject: [PATCH] minor: Fix overflow in Clipsal-CMR113 and Somfy-IOHC reported
> + by aug5t7
> +
> +[Retrieved from:
> +https://github.com/merbanan/rtl_433/commit/2dad7b9fc67a1d0bfbe520fbd821678b8f8cc7a8]
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> +---
> + src/devices/cmr113.c     | 4 ++--
> + src/devices/somfy_iohc.c | 9 +++++----
> + 2 files changed, 7 insertions(+), 6 deletions(-)
> +
> +diff --git a/src/devices/cmr113.c b/src/devices/cmr113.c
> +index c85dfac56..19ec5d421 100644
> +--- a/src/devices/cmr113.c
> ++++ b/src/devices/cmr113.c
> +@@ -42,8 +42,8 @@ Kudos to Jon Oxer for decoding this stream and putting it here:
> + 
> + */
> + 
> +-#define COMPARE_BITS 83
> +-#define COMPARE_BYTES (COMPARE_BITS/8)
> ++#define COMPARE_BITS  83
> ++#define COMPARE_BYTES ((COMPARE_BITS + 7) / 8)
> + 
> + static int cmr113_decode(r_device *decoder, bitbuffer_t *bitbuffer)
> + {
> +diff --git a/src/devices/somfy_iohc.c b/src/devices/somfy_iohc.c
> +index 906cae53e..2c88067b5 100644
> +--- a/src/devices/somfy_iohc.c
> ++++ b/src/devices/somfy_iohc.c
> +@@ -100,11 +100,12 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
> +     if (bitbuffer->num_rows != 1)
> +         return DECODE_ABORT_EARLY;
> + 
> +-    int offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
> +-    if (offset >= bitbuffer->bits_per_row[0] - 19 * 10)
> ++    unsigned offset = bitbuffer_search(bitbuffer, 0, 0, preamble_pattern, 24) + 24;
> ++    if (offset + 19 * 10 >= bitbuffer->bits_per_row[0])
> +         return DECODE_ABORT_EARLY;
> + 
> +-    int num_bits = bitbuffer->bits_per_row[0] - offset;
> ++    unsigned num_bits = bitbuffer->bits_per_row[0] - offset;
> ++    num_bits = MIN(num_bits, sizeof (b) * 8);
> + 
> +     int len = extract_bytes_uart(bitbuffer->bb[0], offset, num_bits, b);
> +     if (len < 19)
> +@@ -120,7 +121,7 @@ static int somfy_iohc_decode(r_device *decoder, bitbuffer_t *bitbuffer)
> +     // calculate and verify checksum
> +     if (crc16lsb(b, len, 0x8408, 0x0000) != 0) // unreflected poly 0x1021
> +         return DECODE_FAIL_MIC;
> +-    bitrow_printf(b, len * 8, "%s: offset %d, num_bits %d, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
> ++    bitrow_printf(b, len * 8, "%s: offset %u, num_bits %u, len %d, msg_len %d\n", __func__, offset, num_bits, len, msg_len);
> + 
> +     int msg_type = (b[0]);
> +     int dst_id   = ((unsigned)b[4] << 24) | (b[3] << 16) | (b[2] << 8) | (b[1]); // assume Little-Endian
> diff --git a/package/rtl_433/rtl_433.mk b/package/rtl_433/rtl_433.mk
> index a5139ddae6..d1c28adbf5 100644
> --- a/package/rtl_433/rtl_433.mk
> +++ b/package/rtl_433/rtl_433.mk
> @@ -17,6 +17,9 @@ RTL_433_CONF_OPTS = \
>  	-DBUILD_TESTING_ANALYZER=OFF \
>  	-DENABLE_SOAPYSDR=OFF
>  
> +# 0003-minor-Fix-overflow-in-Clipsal-CMR113-and-Somfy-IOHC.patch
> +RTL_433_IGNORE_CVES += CVE-2022-25051
> +
>  ifeq ($(BR2_PACKAGE_LIBRTLSDR),y)
>  RTL_433_DEPENDENCIES += librtlsdr
>  RTL_433_CONF_OPTS += -DENABLE_RTLSDR=ON
> -- 
> 2.35.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

More information about the buildroot mailing list