mirror of
git://git.yoctoproject.org/poky.git
synced 2025-07-19 21:09:03 +02:00
connman :fix CVE-2025-32366
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32366 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4 (From OE-Core rev: 02e046149b1cc5eca5188eec7b4e1a9970b97faf) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Praveen Kumar
Steve Sakoman
parent
ac204a6bf9
commit
f80b122315
|
|
@ -0,0 +1,41 @@
|
||||||
|
From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Yoonje Shin <ioerts@kookmin.ac.kr>
|
||||||
|
Date: Mon, 12 May 2025 10:48:18 +0200
|
||||||
|
Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
|
||||||
|
|
||||||
|
In Connman parse_rr in dnsproxy.c has a memcpy length
|
||||||
|
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
|
||||||
|
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
|
||||||
|
than the amount of remaining packet data in the current state of
|
||||||
|
parsing. As a result, values of stack memory locations may be sent
|
||||||
|
over the network in a response.
|
||||||
|
|
||||||
|
This patch adds a check to ensure that (*end + *rdlen) does not exceed
|
||||||
|
the valid range. If the condition is violated, the function returns
|
||||||
|
-EINVAL.
|
||||||
|
|
||||||
|
CVE: CVE-2025-32366
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
|
||||||
|
|
||||||
|
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
|
||||||
|
---
|
||||||
|
src/dnsproxy.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
|
||||||
|
index 1a5a4f3..50b2d55 100644
|
||||||
|
--- a/src/dnsproxy.c
|
||||||
|
+++ b/src/dnsproxy.c
|
||||||
|
@@ -985,6 +985,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
|
||||||
|
if ((offset + *rdlen) > *response_size)
|
||||||
|
return -ENOBUFS;
|
||||||
|
|
||||||
|
+ if ((*end + *rdlen) > max)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
memcpy(response + offset, *end, *rdlen);
|
||||||
|
|
||||||
|
*end += *rdlen;
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
|
|
@ -8,6 +8,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
|
||||||
file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
|
file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
|
||||||
file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
|
file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
|
||||||
file://CVE-2025-32743.patch \
|
file://CVE-2025-32743.patch \
|
||||||
|
file://CVE-2025-32366.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
|
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user