From ec0b708b981af77fef8e4bbb603cde4de4cd2e29 Mon Sep 17 00:00:00 2001
From: Michael Catanzaro <mcatanzaro@redhat.com>
Date: Thu, 19 Sep 2024 18:35:53 +0100
Subject: [PATCH] gsocks4aproxy: Fix a single byte buffer overflow in connect
 messages

`SOCKS4_CONN_MSG_LEN` failed to account for the length of the final nul
byte in the connect message, which is an addition in SOCKSv4a vs
SOCKSv4.

This means that the buffer for building and transmitting the connect
message could be overflowed if the username and hostname are both
`SOCKS4_MAX_LEN` (255) bytes long.

Proxy configurations are normally statically configured, so the username
is very unlikely to be near its maximum length, and hence this overflow
is unlikely to be triggered in practice.

(Commit message by Philip Withnall, diagnosis and fix by Michael
Catanzaro.)

Fixes: #3461

Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29]
CVE: CVE-2024-52533
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 gio/gsocks4aproxy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gio/gsocks4aproxy.c b/gio/gsocks4aproxy.c
index 3dad118eb7..b3146d08fd 100644
--- a/gio/gsocks4aproxy.c
+++ b/gio/gsocks4aproxy.c
@@ -79,9 +79,9 @@ g_socks4a_proxy_init (GSocks4aProxy *proxy)
  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
  * | VN | CD | DSTPORT |      DSTIP        | USERID       |NULL| HOST |    | NULL |
  * +----+----+----+----+----+----+----+----+----+----+....+----+------+....+------+
- *    1    1      2              4           variable       1    variable
+ *    1    1      2              4           variable       1    variable    1
  */
-#define SOCKS4_CONN_MSG_LEN	    (9 + SOCKS4_MAX_LEN * 2)
+#define SOCKS4_CONN_MSG_LEN	    (10 + SOCKS4_MAX_LEN * 2)
 static gint
 set_connect_msg (guint8      *msg,
 		 const gchar *hostname,
-- 
GitLab