diff mbox series

[meta-networking,kirkstone,3/5] usrsctp: patch CVE-2019-20503

Message ID 20251114194522.643069-3-skandigraun@gmail.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] audiofile: mark CVE-2020-18781 as patched | expand

Commit Message

Gyorgy Sarvari Nov. 14, 2025, 7:45 p.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2019-20503

Pick the patch mentioned in the nvd report.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../usrsctp/usrsctp/CVE-2019-20503.patch      | 54 +++++++++++++++++++
 .../recipes-protocols/usrsctp/usrsctp_git.bb  |  3 +-
 2 files changed, 56 insertions(+), 1 deletion(-)
 create mode 100644 meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch b/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch
new file mode 100644
index 0000000000..fc75151f00
--- /dev/null
+++ b/meta-networking/recipes-protocols/usrsctp/usrsctp/CVE-2019-20503.patch
@@ -0,0 +1,54 @@ 
+From c7f318fc788472da19f0a2579d2c2d439e362f04 Mon Sep 17 00:00:00 2001
+From: Michael Tuexen <tuexen@fh-muenster.de>
+Date: Fri, 20 Dec 2019 17:02:02 +0100
+Subject: [PATCH] Improve input validation for some parameters having a too
+ small reported length.
+
+Thanks to Natalie Silvanovich from Google for finding one of these
+issues in the SCTP userland stack and reporting it.
+
+CVE: CVE-2019-20503
+Upstream-Status: Backport [https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ usrsctplib/netinet/sctp_auth.c | 3 ++-
+ usrsctplib/netinet/sctp_pcb.c  | 5 ++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/usrsctplib/netinet/sctp_auth.c b/usrsctplib/netinet/sctp_auth.c
+index 5e5813b..0660af4 100755
+--- a/usrsctplib/netinet/sctp_auth.c
++++ b/usrsctplib/netinet/sctp_auth.c
+@@ -1455,7 +1455,8 @@ sctp_auth_get_cookie_params(struct sctp_tcb *stcb, struct mbuf *m,
+ 		ptype = ntohs(phdr->param_type);
+ 		plen = ntohs(phdr->param_length);
+ 
+-		if ((plen == 0) || (offset + plen > length))
++		if ((plen < sizeof(struct sctp_paramhdr)) ||
++			(offset + plen > length))
+ 			break;
+ 
+ 		if (ptype == SCTP_RANDOM) {
+diff --git a/usrsctplib/netinet/sctp_pcb.c b/usrsctplib/netinet/sctp_pcb.c
+index 6629f24..b99d089 100755
+--- a/usrsctplib/netinet/sctp_pcb.c
++++ b/usrsctplib/netinet/sctp_pcb.c
+@@ -7245,7 +7245,7 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
+ 		if (offset + plen > limit) {
+ 			break;
+ 		}
+-		if (plen == 0) {
++		if (plen < sizeof(struct sctp_paramhdr)) {
+ 			break;
+ 		}
+ #ifdef INET
+@@ -7461,6 +7461,9 @@ sctp_load_addresses_from_init(struct sctp_tcb *stcb, struct mbuf *m,
+ 			if (plen > sizeof(lstore)) {
+ 				return (-23);
+ 			}
++			if (plen < sizeof(struct sctp_asconf_addrv4_param)) {
++				return (-101);
++			}
+ 			phdr = sctp_get_next_param(m, offset,
+ 						   (struct sctp_paramhdr *)&lstore,
+ 						   plen);
diff --git a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
index dcfa7406d2..2361eacebd 100644
--- a/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
+++ b/meta-networking/recipes-protocols/usrsctp/usrsctp_git.bb
@@ -4,7 +4,8 @@  LIC_FILES_CHKSUM = "file://LICENSE.md;md5=ffcf846341f3856d79a483eafa18e2a5"
 
 SRCREV = "a10cd498d964508c0e6ec6bd2be9dd4afcbb4d86"
 SRC_URI = "git://github.com/sctplab/usrsctp;protocol=https;branch=master \
-          "
+           file://CVE-2019-20503.patch \
+           "
 
 S = "${WORKDIR}/git"