diff mbox series

[meta-networking,kirkstone,5/5] libiec61850: patch CVE-2024-45970

Message ID 20260130070621.3171877-5-skandigraun@gmail.com
State New
Headers show
Series [meta-python,kirkstone,1/5] python3-pymongo: upgrade 4.1.0 -> 4.1.1 | expand

Commit Message

Gyorgy Sarvari Jan. 30, 2026, 7:06 a.m. UTC 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-45970

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 .../libiec61850/files/CVE-2024-45970.patch    | 71 +++++++++++++++++++
 .../libiec61850/libiec61850_1.5.1.bb          |  1 +
 2 files changed, 72 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch
diff mbox series

Patch

diff --git a/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch
new file mode 100644
index 0000000000..81759438e1
--- /dev/null
+++ b/meta-networking/recipes-connectivity/libiec61850/files/CVE-2024-45970.patch
@@ -0,0 +1,71 @@ 
+From 554e77c542f1c09b689907d5e2ea8bff4b2ad969 Mon Sep 17 00:00:00 2001
+From: Michael Zillgith <michael.zillgith@mz-automation.de>
+Date: Tue, 23 Jul 2024 18:50:15 +0100
+Subject: [PATCH] - fixed potential buffer overflows in MMS client file service
+ handling (LIB61850-449)
+
+CVE: CVE-2024-45970
+Upstream-Status: Backport [https://github.com/mz-automation/libiec61850/commit/ac925fae8e281ac6defcd630e9dd756264e9c5bc]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ src/mms/iso_mms/client/mms_client_files.c | 23 +++++++++++++++++++----
+ 1 file changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/src/mms/iso_mms/client/mms_client_files.c b/src/mms/iso_mms/client/mms_client_files.c
+index 307ab534..1aa8dff2 100644
+--- a/src/mms/iso_mms/client/mms_client_files.c
++++ b/src/mms/iso_mms/client/mms_client_files.c
+@@ -478,8 +478,13 @@ parseFileAttributes(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t* fileSi
+             break;
+         case 0x81: /* lastModified */
+             {
+-                if (lastModified != NULL) {
++                if (lastModified != NULL)
++                {
+                     char gtString[40];
++
++                    if (length > sizeof(gtString) - 1)
++                        return false; /* lastModified string too long */
++
+                     memcpy(gtString, buffer + bufPos, length);
+                     gtString[length] = 0;
+                     *lastModified = Conversions_generalizedTimeToMsTime(gtString);
+@@ -506,12 +511,14 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
+     uint32_t fileSize = 0;
+     uint64_t lastModified = 0;
+ 
+-    while (bufPos < maxBufPos) {
++    while (bufPos < maxBufPos)
++    {
+         uint8_t tag = buffer[bufPos++];
+         int length;
+ 
+         bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
+-        if (bufPos < 0) {
++        if (bufPos < 0)
++        {
+             if (DEBUG_MMS_CLIENT)
+                 printf("MMS_CLIENT: invalid length field\n");
+             return false;
+@@ -525,12 +532,20 @@ parseDirectoryEntry(uint8_t* buffer, int bufPos, int maxBufPos, uint32_t invokeI
+             tag = buffer[bufPos++];
+ 
+             bufPos = BerDecoder_decodeLength(buffer, &length, bufPos, maxBufPos);
+-            if (bufPos < 0) {
++            if (bufPos < 0)
++            {
+                 if (DEBUG_MMS_CLIENT)
+                     printf("MMS_CLIENT: invalid length field\n");
+                 return false;
+             }
+ 
++            if (length > (sizeof(fileNameMemory) - 1))
++            {
++                if (DEBUG_MMS_CLIENT)
++                    printf("MMS_CLIENT: filename too long\n");
++                return false;
++            }
++
+             memcpy(filename, buffer + bufPos, length);
+             filename[length] = 0;
+ 
diff --git a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb
index d36a3c9306..ce6f79e996 100644
--- a/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb
+++ b/meta-networking/recipes-connectivity/libiec61850/libiec61850_1.5.1.bb
@@ -19,6 +19,7 @@  SRC_URI = "git://github.com/mz-automation/${BPN}.git;branch=v1.5;protocol=https
            file://0001-pyiec61850-don-t-break-CMAKE_INSTALL_PATH-by-trying-.patch \
            file://0001-pyiec61850-Use-CMAKE_INSTALL_LIBDIR-from-GNUInstallD.patch \
            file://CVE-2024-45969.patch \
+           file://CVE-2024-45970.patch \
            "
 
 S = "${WORKDIR}/git"