Cherry-pick libevent CVE fixes from libevent into ompi. Fixes #10542.

azat · BrendanCunningham · commit 8cc9cceb20f4 · 2022-07-26T10:13:48.000-04:00
CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10195 libevent issue: libevent dns remote stack overread vulnerability libevent/libevent#317 libevent fixing commit: libevent/libevent@96f64a0 CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10196 libevent issue: libevent (stack) buffer overflow in evutil_parse_sockaddr_port() libevent/libevent#318 libevent fixing commit: libevent/libevent@329acc1 CVE: https://nvd.nist.gov/vuln/detail/CVE-2016-10197 libevent issue: out-of-bounds read in search_make_new() libevent/libevent#332 libevent fixing commit: libevent/libevent@ec65c42 Signed-off-by: Brendan Cunningham <bcunningham@cornelisnetworks.com>
diff --git a/opal/mca/event/libevent2022/libevent/evdns.c b/opal/mca/event/libevent2022/libevent/evdns.c
@@ -958,7 +958,6 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
 
 	for (;;) {
 		u8 label_len;
-		if (j >= length) return -1;
 		GET8(label_len);
 		if (!label_len) break;
 		if (label_len & 0xc0) {
@@ -979,6 +978,7 @@ name_parse(u8 *packet, int length, int *idx, char *name_out, int name_out_len) {
 			*cp++ = '.';
 		}
 		if (cp + label_len >= end) return -1;
+		if (j + label_len > length) return -1;
 		memcpy(cp, packet + j, label_len);
 		cp += label_len;
 		j += label_len;
@@ -3120,9 +3120,12 @@ search_set_from_hostname(struct evdns_base *base) {
 static char *
 search_make_new(const struct search_state *const state, int n, const char *const base_name) {
 	const size_t base_len = strlen(base_name);
-	const char need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
+	char need_to_append_dot;
 	struct search_domain *dom;
 
+	if (!base_len) return NULL;
+	need_to_append_dot = base_name[base_len - 1] == '.' ? 0 : 1;
+
 	for (dom = state->head; dom; dom = dom->next) {
 		if (!n--) {
 			/* this is the postfix we want */
diff --git a/opal/mca/event/libevent2022/libevent/evutil.c b/opal/mca/event/libevent2022/libevent/evutil.c
@@ -1808,12 +1808,12 @@ evutil_parse_sockaddr_port(const char *ip_as_string, struct sockaddr *out, int *
 
 	cp = strchr(ip_as_string, ':');
 	if (*ip_as_string == '[') {
-		int len;
+		size_t len;
 		if (!(cp = strchr(ip_as_string, ']'))) {
 			return -1;
 		}
-		len = (int) ( cp-(ip_as_string + 1) );
-		if (len > (int)sizeof(buf)-1) {
+		len = ( cp-(ip_as_string + 1) );
+		if (len > sizeof(buf)-1) {
 			return -1;
 		}
 		memcpy(buf, ip_as_string+1, len);
