new file mode 100644
@@ -0,0 +1,74 @@
+From d5bd7cbf26b0254ce068ba7d940c26adbf9ce8e8 Mon Sep 17 00:00:00 2001
+From: Michael Zillgith <michael.zillgith@mz-automation.de>
+Date: Tue, 23 Jul 2024 18:50:15 +0100
+Subject: [PATCH] CVE-2024-45970
+
+fixed potential buffer overflows in MMS client file service handling (LIB61850-449)
+
+CVE: CVE-2024-45970
+Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc]
+
+(cherry picked from commit ac925fae8e281ac6defcd630e9dd756264e9c5bc)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
+index 4fca418e..935ba1a4 100644
+--- a/src/mms/iso_mms/client/mms_client_files.c
++++ b/src/mms/iso_mms/client/mms_client_files.c
+@@ -487,8 +487,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
+ break;
+ case 0x81: /* lastModified */
+ {
+- if (lastModified != NULL) {
++ if (lastModified != NULL)
++ {
+ char gtString[40];
++
++ if (length > sizeof(gtString) - 1)
++ return false; /* lastModified string too long */
++
+ memcpy(gtString, buffer + bufPos, length);
+ gtString[length] = 0;
+ *lastModified = Conversions_generalizedTimeToMsTime(gtString);
+@@ -515,12 +520,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
+ uint32_t fileSize = 0;
+ uint64_t lastModified = 0;
+
+- while (bufPos < maxBufPos) {
++ while (bufPos < maxBufPos)
++ {
+ uint8_t tag = buffer[bufPos++];
+ int length;
+
+ bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
+- if (bufPos < 0) {
++ if (bufPos < 0)
++ {
+ if (DEBUG_MMS_CLIENT)
+ printf("MMS_CLIENT: invalid length field\n");
+ return false;
+@@ -534,12 +541,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
+ tag = buffer[bufPos++];
+
+ bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
+- if (bufPos < 0) {
++ if (bufPos < 0)
++ {
+ if (DEBUG_MMS_CLIENT)
+ printf("MMS_CLIENT: invalid length field\n");
+ return false;
+ }
+
++ if (length > (sizeof(fileNameMemory) - 1))
++ {
++ if (DEBUG_MMS_CLIENT)
++ printf("MMS_CLIENT: filename too long\n");
++ return false;
++ }
++
+ memcpy(filename, buffer + bufPos, length);
+ filename[length] = 0;
+
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https
file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \
file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \
file://CVE-2024-26529.patch \
+ file://CVE-2024-45970.patch \
"
S = "${WORKDIR}/git"
Details https://nvd.nist.gov/vuln/detail/CVE-2024-45970 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> --- .../libiec61850/files/CVE-2024-45970.patch | 74 +++++++++++++++++++ .../libiec61850/libiec61850_1.5.3.bb | 1 + 2 files changed, 75 insertions(+) create mode 100644 meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch