diff options
Diffstat (limited to 'net')
-rw-r--r-- | net/qt5-network/Makefile | 1 | ||||
-rw-r--r-- | net/qt5-network/files/patch-security-rollup | 165 |
2 files changed, 166 insertions, 0 deletions
diff --git a/net/qt5-network/Makefile b/net/qt5-network/Makefile index c92c8074b1f0..c0ec67874b8c 100644 --- a/net/qt5-network/Makefile +++ b/net/qt5-network/Makefile @@ -1,5 +1,6 @@ PORTNAME= network PORTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} +PORTREVISION= 1 CATEGORIES= net PKGNAMEPREFIX= qt5- diff --git a/net/qt5-network/files/patch-security-rollup b/net/qt5-network/files/patch-security-rollup new file mode 100644 index 000000000000..09cf34ef8b34 --- /dev/null +++ b/net/qt5-network/files/patch-security-rollup @@ -0,0 +1,165 @@ +From a4d20b51de320a5da2d5f1bf277af8293adc5398 Mon Sep 17 00:00:00 2001 +From: Marc Mutz <marc.mutz@qt.io> +Date: Tue, 12 Dec 2023 20:51:56 +0100 +Subject: [PATCH] HPack: fix a Yoda Condition + +Putting the variable on the LHS of a relational operation makes the +expression easier to read. In this case, we find that the whole +expression is nonsensical as an overflow protection, because if +name.size() + value.size() overflows, the result will exactly _not_ +be > max() - 32, because UB will have happened. + +To be fixed in a follow-up commit. + +As a drive-by, add parentheses around the RHS. + +Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09 +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867) +(cherry picked from commit 13c16b756900fe524f6d9534e8a07aa003c05e0c) +(cherry picked from commit 1d4788a39668fb2dc5912a8d9c4272dc40e99f92) +(cherry picked from commit 87de75b5cc946d196decaa6aef4792a6cac0b6db) +--- + src/network/access/http2/hpacktable.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp +index fddb5feca56..3d88cb66f51 100644 +--- src/network/access/http2/hpacktable.cpp.orig ++++ src/network/access/http2/hpacktable.cpp +@@ -63,7 +63,7 @@ HeaderSize entry_size(const QByteArray &name, const QByteArray &value) + // 32 octets of overhead." + + const unsigned sum = unsigned(name.size() + value.size()); +- if (std::numeric_limits<unsigned>::max() - 32 < sum) ++ if (sum > (std::numeric_limits<unsigned>::max() - 32)) + return HeaderSize(); + return HeaderSize(true, quint32(sum + 32)); + } +From c379f4ef587d61c9a5b61b5ada57fdadcc8145eb Mon Sep 17 00:00:00 2001 +From: Marc Mutz <marc.mutz@qt.io> +Date: Tue, 12 Dec 2023 22:08:07 +0100 +Subject: [PATCH] HPack: fix incorrect integer overflow check +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This code never worked: + +For the comparison with max() - 32 to trigger, on 32-bit platforms (or +Qt 5) signed interger overflow would have had to happen in the +addition of the two sizes. The compiler can therefore remove the +overflow check as dead code. + +On Qt 6 and 64-bit platforms, the signed integer addition would be +very unlikely to overflow, but the following truncation to uint32 +would yield the correct result only in a narrow 32-value window just +below UINT_MAX, if even that. + +Fix by using the proper tool, qAddOverflow. + +Manual conflict resolutions: + - qAddOverflow doesn't exist in Qt 5, use private add_overflow + predecessor API instead + +Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860) +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> +Reviewed-by: Marc Mutz <marc.mutz@qt.io> +(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7) +(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00) +(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5) +Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> +--- + src/network/access/http2/hpacktable.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp +index 3d88cb66f51..315f3e23440 100644 +--- src/network/access/http2/hpacktable.cpp.orig ++++ src/network/access/http2/hpacktable.cpp +@@ -40,6 +40,7 @@ + #include "hpacktable_p.h" + + #include <QtCore/qdebug.h> ++#include <QtCore/private/qnumeric_p.h> + + #include <algorithm> + #include <cstddef> +@@ -62,7 +63,9 @@ HeaderSize entry_size(const QByteArray &name, const QByteArray &value) + // for counting the number of references to the name and value would have + // 32 octets of overhead." + +- const unsigned sum = unsigned(name.size() + value.size()); ++ size_t sum; ++ if (add_overflow(size_t(name.size()), size_t(value.size()), &sum)) ++ return HeaderSize(); + if (sum > (std::numeric_limits<unsigned>::max() - 32)) + return HeaderSize(); + return HeaderSize(true, quint32(sum + 32)); +From 8907dedc858cc344d770a2e826d6acc516429540 Mon Sep 17 00:00:00 2001 +From: Marc Mutz <marc.mutz@qt.io> +Date: Tue, 19 Dec 2023 14:22:37 +0100 +Subject: [PATCH] Http2: fix potential overflow in assemble_hpack_block() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The function is given a vector of Http2::Frame's and flattens it into +a vector<uchar>. While each Frame can contain a maximum of 16GiB of +data (24-bit size field), one "only" needs 257 of them to overflow the +quint32 variable's range. + +So make sure any overflow does not go undetected. + +Keep the limited uint32_t range for now, as we don't know whether all +consumers of the result can deal with more than 4GiB of data. + +Since all these frames must be in memory, this cannot overflow in +practice on 32-bit machines. + +Pick-to: 6.7 6.6 6.5 6.2 5.15 +Change-Id: Iafaa7d1c870cba9100e75065db11d95934f86213 +Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> +(cherry picked from commit 1e6bb61af3ae29755f93b92f157df026f934ae61) + +* asturmlechner 2024-01-02: Use correct include for 5.15 +--- + src/network/access/qhttp2protocolhandler.cpp | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp +index 39dd460881a..ead88d781ae 100644 +--- src/network/access/qhttp2protocolhandler.cpp.orig ++++ src/network/access/qhttp2protocolhandler.cpp +@@ -46,10 +46,12 @@ + #include <private/qnoncontiguousbytedevice_p.h> + + #include <QtNetwork/qabstractsocket.h> ++ + #include <QtCore/qloggingcategory.h> + #include <QtCore/qendian.h> + #include <QtCore/qdebug.h> + #include <QtCore/qlist.h> ++#include <QtCore/private/qnumeric_p.h> + #include <QtCore/qurl.h> + + #include <qhttp2configuration.h> +@@ -124,8 +126,10 @@ std::vector<uchar> assemble_hpack_block(const std::vector<Http2::Frame> &frames) + std::vector<uchar> hpackBlock; + + quint32 total = 0; +- for (const auto &frame : frames) +- total += frame.hpackBlockSize(); ++ for (const auto &frame : frames) { ++ if (add_overflow(total, frame.hpackBlockSize(), &total)) ++ return hpackBlock; ++ } + + if (!total) + return hpackBlock; |