From: Jan Palus <atler@pld-linux.org>
Date: Sat, 28 Jan 2023 23:41:22 +0000 (+0100)
Subject: upstream fix for buffer overflow; rel 2
X-Git-Tag: auto/th/iwd-2.2-2
X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=ada402b08e4915a57c23909d18a5871b96c794ab;p=packages%2Fiwd.git

upstream fix for buffer overflow; rel 2
---

diff --git a/buf-overflow.patch b/buf-overflow.patch
new file mode 100644
index 0000000..bf1ae46
--- /dev/null
+++ b/buf-overflow.patch
@@ -0,0 +1,63 @@
+From 54a06835580bc4e15c453ee87db8c14655e900ef Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Thu, 26 Jan 2023 09:59:56 -0600
+Subject: wiphy: Fix buffer overflow due to off-by-one error
+
+Since channels numbers are used as indexes into the array, and given
+that channel numbers start at '1' instead of 0, make sure to allocate a
+buffer large enough to not overflow when the max channel number for a
+given band is accessed.
+
+src/manager.c:manager_wiphy_dump_callback() New wiphy phy1 added (1)
+==22290== Invalid write of size 2
+==22290==    at 0x4624B2: nl80211_parse_supported_frequencies (nl80211util.c:570)
+==22290==    by 0x417CA5: parse_supported_bands (wiphy.c:1636)
+==22290==    by 0x418594: wiphy_parse_attributes (wiphy.c:1805)
+==22290==    by 0x418E20: wiphy_update_from_genl (wiphy.c:1991)
+==22290==    by 0x464589: manager_wiphy_dump_callback (manager.c:564)
+==22290==    by 0x4CBDDA: process_unicast (genl.c:944)
+==22290==    by 0x4CC19C: received_data (genl.c:1056)
+==22290==    by 0x4C7140: io_callback (io.c:120)
+==22290==    by 0x4C5A97: l_main_iterate (main.c:476)
+==22290==    by 0x4C5BDC: l_main_run (main.c:523)
+==22290==    by 0x4C5F0F: l_main_run_with_signal (main.c:645)
+==22290==    by 0x40503B: main (main.c:600)
+==22290==  Address 0x4aa76ec is 0 bytes after a block of size 28 alloc'd
+==22290==    at 0x48417B5: malloc (vg_replace_malloc.c:393)
+==22290==    by 0x4BC4D1: l_malloc (util.c:62)
+==22290==    by 0x417BE4: parse_supported_bands (wiphy.c:1619)
+==22290==    by 0x418594: wiphy_parse_attributes (wiphy.c:1805)
+==22290==    by 0x418E20: wiphy_update_from_genl (wiphy.c:1991)
+==22290==    by 0x464589: manager_wiphy_dump_callback (manager.c:564)
+==22290==    by 0x4CBDDA: process_unicast (genl.c:944)
+==22290==    by 0x4CC19C: received_data (genl.c:1056)
+==22290==    by 0x4C7140: io_callback (io.c:120)
+==22290==    by 0x4C5A97: l_main_iterate (main.c:476)
+==22290==    by 0x4C5BDC: l_main_run (main.c:523)
+==22290==    by 0x4C5F0F: l_main_run_with_signal (main.c:645)
+==22290==
+---
+ src/wiphy.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/wiphy.c b/src/wiphy.c
+index fcdc3ab8..2db2d2cd 100644
+--- a/src/wiphy.c
++++ b/src/wiphy.c
+@@ -1616,8 +1616,12 @@ static void parse_supported_bands(struct wiphy *wiphy,
+ 				continue;
+ 
+ 			band->freq = freq;
++			/*
++			 * Since channels start at 1, allocate one extra in
++			 * order to use channel indexes without arithmetic
++			 */
+ 			band->freq_attrs = l_new(struct band_freq_attrs,
+-							num_channels);
++							num_channels + 1);
+ 			band->freqs_len = num_channels;
+ 
+ 			/* Reset iter to beginning */
+-- 
+cgit 
+
diff --git a/iwd.spec b/iwd.spec
index 8c07ea5..f5e0ffb 100644
--- a/iwd.spec
+++ b/iwd.spec
@@ -2,11 +2,12 @@ Summary:	iwd - wireless daemon for Linux
 Summary(pl.UTF-8):	iwd - demon sieci bezprzewodowej dla Linuksa
 Name:		iwd
 Version:	2.2
-Release:	1
+Release:	2
 License:	LGPL v2.1+
 Group:		Networking/Daemons
 Source0:	https://www.kernel.org/pub/linux/network/wireless/%{name}-%{version}.tar.xz
 # Source0-md5:	2dbe822e77efa0f4a98435eb51e0236f
+Patch0:		buf-overflow.patch
 URL:		https://git.kernel.org/pub/scm/network/wireless/iwd.git
 BuildRequires:	autoconf >= 2.69
 BuildRequires:	automake
@@ -32,6 +33,7 @@ Demon sieci bezprzewodowej dla Linuksa.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 %{__libtoolize}