From a1ac940da85a562d91ce706f38f27fca8f0a2576 Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Thu, 5 Oct 2017 10:18:53 -0400 Subject: [PATCH] Add updated curl patches and ap121f reference board --- .../curl/patches/103-CVE-2017-1000100.patch | 41 +++++++ .../curl/patches/104-CVE-2017-1000101.patch | 33 ++++++ .../files/arch/mips/ath79/mach-ap121f.c | 103 ++++++++++++++++++ 3 files changed, 177 insertions(+) create mode 100644 package/network/utils/curl/patches/103-CVE-2017-1000100.patch create mode 100644 package/network/utils/curl/patches/104-CVE-2017-1000101.patch create mode 100644 target/linux/ar71xx/files/arch/mips/ath79/mach-ap121f.c diff --git a/package/network/utils/curl/patches/103-CVE-2017-1000100.patch b/package/network/utils/curl/patches/103-CVE-2017-1000100.patch new file mode 100644 index 0000000000..93ab97bd14 --- /dev/null +++ b/package/network/utils/curl/patches/103-CVE-2017-1000100.patch @@ -0,0 +1,41 @@ +From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:46 +0200 +Subject: [PATCH] tftp: reject file name lengths that don't fit + +... and thereby avoid telling send() to send off more bytes than the +size of the buffer! + +CVE-2017-1000100 + +Bug: https://curl.haxx.se/docs/adv_20170809B.html +Reported-by: Even Rouault + +Credit to OSS-Fuzz for the discovery +--- + lib/tftp.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/lib/tftp.c ++++ b/lib/tftp.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2016, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_sta + if(result) + return result; + ++ if(strlen(filename) > (state->blksize - strlen(mode) - 4)) { ++ failf(data, "TFTP file name too long\n"); ++ return CURLE_TFTP_ILLEGAL; /* too long file name field */ ++ } ++ + snprintf((char *)state->spacket.data+2, + state->blksize, + "%s%c%s%c", filename, '\0', mode, '\0'); diff --git a/package/network/utils/curl/patches/104-CVE-2017-1000101.patch b/package/network/utils/curl/patches/104-CVE-2017-1000101.patch new file mode 100644 index 0000000000..835b73eef9 --- /dev/null +++ b/package/network/utils/curl/patches/104-CVE-2017-1000101.patch @@ -0,0 +1,33 @@ +From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 1 Aug 2017 17:16:07 +0200 +Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow + range + +Added test 1289 to verify. + +CVE-2017-1000101 + +Bug: https://curl.haxx.se/docs/adv_20170809A.html +Reported-by: Brian Carpenter +--- + src/tool_urlglob.c | 5 ++++- + tests/data/Makefile.inc | 2 +- + tests/data/test1289 | 35 +++++++++++++++++++++++++++++++++++ + 3 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1289 + +--- a/src/tool_urlglob.c ++++ b/src/tool_urlglob.c +@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob + } + errno = 0; + max_n = strtoul(pattern, &endp, 10); +- if(errno || (*endp == ':')) { ++ if(errno) ++ /* overflow */ ++ endp = NULL; ++ else if(*endp == ':') { + pattern = endp+1; + errno = 0; + step_n = strtoul(pattern, &endp, 10); diff --git a/target/linux/ar71xx/files/arch/mips/ath79/mach-ap121f.c b/target/linux/ar71xx/files/arch/mips/ath79/mach-ap121f.c new file mode 100644 index 0000000000..955b7faf63 --- /dev/null +++ b/target/linux/ar71xx/files/arch/mips/ath79/mach-ap121f.c @@ -0,0 +1,103 @@ +/* + * ALFA Network AP121F board support + * + * Copyright (C) 2017 Piotr Dymacz + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 as published + * by the Free Software Foundation. + */ + +#include +#include + +#include +#include + +#include "common.h" +#include "dev-eth.h" +#include "dev-gpio-buttons.h" +#include "dev-leds-gpio.h" +#include "dev-m25p80.h" +#include "dev-usb.h" +#include "dev-wmac.h" +#include "machtypes.h" + +#define AP121F_GPIO_LED_LAN 17 +#define AP121F_GPIO_LED_VPN 27 +#define AP121F_GPIO_LED_WLAN 0 + +#define AP121F_GPIO_MICROSD_EN 26 + +#define AP121F_GPIO_BTN_RESET 12 +#define AP121F_GPIO_BTN_SWITCH 21 + +#define AP121F_KEYS_POLL_INTERVAL 20 +#define AP121F_KEYS_DEBOUNCE_INTERVAL (3 * AP121F_KEYS_POLL_INTERVAL) + +#define AP121F_WMAC_CALDATA_OFFSET 0x1000 + +static struct gpio_led ap121f_leds_gpio[] __initdata = { + { + .name = "ap121f:green:lan", + .gpio = AP121F_GPIO_LED_LAN, + .active_low = 1, + }, { + .name = "ap121f:green:vpn", + .gpio = AP121F_GPIO_LED_VPN, + .active_low = 1, + }, { + .name = "ap121f:green:wlan", + .gpio = AP121F_GPIO_LED_WLAN, + .active_low = 0, + }, +}; + +static struct gpio_keys_button ap121f_gpio_keys[] __initdata = { + { + .desc = "reset", + .type = EV_KEY, + .code = KEY_RESTART, + .debounce_interval = AP121F_KEYS_DEBOUNCE_INTERVAL, + .gpio = AP121F_GPIO_BTN_RESET, + .active_low = 1, + }, { + .desc = "switch", + .type = EV_KEY, + .code = BTN_0, + .debounce_interval = AP121F_KEYS_DEBOUNCE_INTERVAL, + .gpio = AP121F_GPIO_BTN_SWITCH, + .active_low = 0, + }, +}; + +static void __init ap121f_setup(void) +{ + u8 *art = (u8 *) KSEG1ADDR(0x1f040000); + + ath79_register_m25p80(NULL); + + ath79_setup_ar933x_phy4_switch(false, false); + + /* LAN */ + ath79_register_mdio(0, 0x0); + ath79_init_mac(ath79_eth0_data.mac_addr, art, 0); + ath79_register_eth(0); + + ath79_register_leds_gpio(-1, ARRAY_SIZE(ap121f_leds_gpio), + ap121f_leds_gpio); + + ath79_register_gpio_keys_polled(-1, AP121F_KEYS_POLL_INTERVAL, + ARRAY_SIZE(ap121f_gpio_keys), + ap121f_gpio_keys); + + gpio_request_one(AP121F_GPIO_MICROSD_EN, + GPIOF_OUT_INIT_HIGH | GPIOF_EXPORT_DIR_FIXED, + "microSD enable"); + + ath79_register_wmac(art + AP121F_WMAC_CALDATA_OFFSET, NULL); + + ath79_register_usb(); +} + +MIPS_MACHINE(ATH79_MACH_AP121F, "AP121F", "ALFA Network AP121F", ap121f_setup); -- 2.25.1