Package: spice / 0.14.3-2.1

CVE-2020-14355/0004-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From: Frediano Ziglio <freddy77@gmail.com>
Date: Thu, 30 Apr 2020 10:19:09 +0100
Subject: [4/4] quic: Avoid possible buffer overflow in find_bucket
https://gitlab.freedesktop.org/spice/spice-common/-/commit/b24fe6b66b86e601c725d30f00c37e684b6395b6
Bug-Debian: https://bugs.debian.org/971750
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-14355

Proved by fuzzing the code.

Signed-off-by: Frediano Ziglio <freddy77@gmail.com>
Acked-by: Uri Lublin <uril@redhat.com>
---
 subprojects/spice-common/common//quic_family_tmpl.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/subprojects/spice-common/common/quic_family_tmpl.c
+++ b/subprojects/spice-common/common/quic_family_tmpl.c
@@ -105,7 +105,12 @@ static s_bucket *FNAME(find_bucket)(Chan
         spice_assert(val < (0x1U << BPC));
     }
 
-    return channel->_buckets_ptrs[val];
+    /* The and (&) here is to avoid buffer overflows in case of garbage or malicious
+     * attempts. Is much faster then using comparisons and save us from such situations.
+     * Note that on normal build the check above won't be compiled as this code path
+     * is pretty hot and would cause speed regressions.
+     */
+    return channel->_buckets_ptrs[val & ((1U << BPC) - 1)];
 }
 
 #undef FNAME
-- 
2.28.0