From 534f92cb0a0d4a3cbf73c42488f4a5a4c8e8791c Mon Sep 17 00:00:00 2001 From: Praveen Kumar Date: Wed, 7 May 2025 06:48:23 +0000 Subject: [PATCH] connman: Fix CVE-2025-32743 In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32743 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f (From OE-Core rev: 610056dccc7144a70bcf69aec720b44bc7de7557) Signed-off-by: Praveen Kumar Signed-off-by: Mathieu Dubois-Briand Signed-off-by: Richard Purdie --- .../connman/connman/CVE-2025-32743.patch | 48 +++++++++++++++++++ .../connman/connman_1.44.bb | 1 + 2 files changed, 49 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch new file mode 100644 index 0000000000..c114589679 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch @@ -0,0 +1,48 @@ +From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001 +From: Praveen Kumar +Date: Thu, 24 Apr 2025 11:39:29 +0000 +Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash + +In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c +can be NULL or an empty string when the TC (Truncated) bit is set in +a DNS response. This allows attackers to cause a denial of service +(application crash) or possibly execute arbitrary code, because those +lookup values lead to incorrect length calculations and incorrect +memcpy operations. + +This patch includes a check to make sure loookup value is valid before +using it. This helps avoid unexpected value when the input is empty or +incorrect. + +Fixes: CVE-2025-32743 + +CVE: CVE-2025-32743 + +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f] + +Signed-off-by: Praveen Kumar +--- + src/dnsproxy.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index f28a5d7..7ee26d9 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req, + gpointer request, gpointer name) + { + int sk = -1; ++ int err; + const char *lookup = (const char *)name; +- int err = ns_try_resolv_from_cache(req, request, lookup); ++ ++ if (!lookup || strlen(lookup) == 0) ++ return -EINVAL; ++ ++ err = ns_try_resolv_from_cache(req, request, lookup); + + if (err > 0) + /* cache hit */ +-- +2.40.0 diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.44.bb index 00e69182d7..b25a435577 100644 --- a/meta/recipes-connectivity/connman/connman_1.44.bb +++ b/meta/recipes-connectivity/connman/connman_1.44.bb @@ -21,6 +21,7 @@ DEPENDS = "dbus glib-2.0" SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://connman \ file://0002-resolve-musl-does-not-implement-res_ninit.patch \ + file://CVE-2025-32743.patch \ " SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"