components/transmission/patches/06-CVE-2014-4909.patch

   1 Description: fix denial of service and possible code execution via
   2  overflow in tr_bitfieldEnsureNthBitAlloced
   3 Origin: upstream, https://trac.transmissionbt.com/changeset/14303
   4
   5 Index: transmission-2.51/libtransmission/bitfield.c
   6 ===================================================================
   7 --- transmission-2.51.orig/libtransmission/bitfield.c   2014-07-11 14:16:10.232959680 -0400
   8 +++ transmission-2.51/libtransmission/bitfield.c        2014-07-11 14:17:20.168958596 -0400
   9 @@ -150,7 +150,7 @@
  10  static size_t
  11  get_bytes_needed( size_t bit_count )
  12  {
  13 -    return ( bit_count + 7u ) / 8u;
  14 +    return (bit_count >> 3) + (bit_count & 7 ? 1 : 0);
  15  }
  16
  17  static void
  18 @@ -203,11 +203,16 @@
  19      }
  20  }
  21
  22 -static void
  23 +static bool
  24  tr_bitfieldEnsureNthBitAlloced( tr_bitfield * b, size_t nth )
  25  {
  26      /* count is zero-based, so we need to allocate nth+1 bits before setting the nth */
  27 +
  28 +    if (nth == SIZE_MAX)
  29 +      return false;
  30 +
  31      tr_bitfieldEnsureBitsAlloced( b, nth + 1 );
  32 +    return true;
  33  }
  34
  35  static void
  36 @@ -339,9 +344,8 @@
  37  void
  38  tr_bitfieldAdd( tr_bitfield * b, size_t nth )
  39  {
  40 -    if( !tr_bitfieldHas( b, nth ) )
  41 +    if (!tr_bitfieldHas (b, nth) && tr_bitfieldEnsureNthBitAlloced (b, nth))
  42      {
  43 -        tr_bitfieldEnsureNthBitAlloced( b, nth );
  44          b->bits[nth >> 3u] |= ( 0x80 >> ( nth & 7u ) );
  45          tr_bitfieldIncTrueCount( b, 1 );
  46      }
  47 @@ -367,7 +371,9 @@
  48      eb = end >> 3;
  49      em = 0xff << ( 7 - ( end & 7 ) );
  50
  51 -    tr_bitfieldEnsureNthBitAlloced( b, end );
  52 +    if (!tr_bitfieldEnsureNthBitAlloced (b, end))
  53 +      return;
  54 +
  55      if( sb == eb )
  56      {
  57          b->bits[sb] |= ( sm & em );
  58 @@ -388,9 +394,8 @@
  59  {
  60      assert( tr_bitfieldIsValid( b ) );
  61
  62 -    if( !tr_bitfieldHas( b, nth ) )
  63 +    if (!tr_bitfieldHas (b, nth) && tr_bitfieldEnsureNthBitAlloced (b, nth))
  64      {
  65 -        tr_bitfieldEnsureNthBitAlloced( b, nth );
  66          b->bits[nth >> 3u] &= ( 0xff7f >> ( nth & 7u ) );
  67          tr_bitfieldIncTrueCount( b, -1 );
  68      }
  69 @@ -417,7 +422,9 @@
  70      eb = end >> 3;
  71      em = ~( 0xff << ( 7 - ( end & 7 ) ) );
  72
  73 -    tr_bitfieldEnsureNthBitAlloced( b, end );
  74 +    if (!tr_bitfieldEnsureNthBitAlloced (b, end))
  75 +      return;
  76 +
  77      if( sb == eb )
  78      {
  79          b->bits[sb] &= ( sm | em );
  80 Index: transmission-2.51/libtransmission/peer-msgs.c
  81 ===================================================================
  82 --- transmission-2.51.orig/libtransmission/peer-msgs.c  2014-07-11 14:16:10.232959680 -0400
  83 +++ transmission-2.51/libtransmission/peer-msgs.c       2014-07-11 14:16:10.228959680 -0400
  84 @@ -35,6 +35,10 @@
  85  #include "utils.h"
  86  #include "version.h"
  87
  88 +#ifndef EBADMSG
  89 + #define EBADMSG EINVAL
  90 +#endif
  91 +
  92  /**
  93  ***
  94  **/
  95 @@ -1559,6 +1563,12 @@
  96      assert( msgs );
  97      assert( req );
  98
  99 +    if (!requestIsValid (msgs, req)) {
 100 +        dbgmsg (msgs, "dropping invalid block %u:%u->%u",
 101 +                req->index, req->offset, req->length);
 102 +        return EBADMSG;
 103 +    }
 104 +
 105      if( req->length != tr_torBlockCountBytes( msgs->torrent, block ) ) {
 106          dbgmsg( msgs, "wrong block size -- expected %u, got %d",
 107                  tr_torBlockCountBytes( msgs->torrent, block ), req->length );