summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHitendra Prajapati <hprajapati@mvista.com>2023-05-02 18:08:21 +0530
committerSteve Sakoman <steve@sakoman.com>2023-05-10 04:19:56 -1000
commit7aac01a2a723e3093744ab598296395e78296f5e (patch)
treed68b864fc49a5bad768b5d8ceae62f1be0191937
parent813d4715e4d37ef22a8e8f1275e248bed23b4779 (diff)
downloadpoky-7aac01a2a723e3093744ab598296395e78296f5e.tar.gz
connman: fix CVE-2023-28488 DoS in client.c
Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138 (From OE-Core rev: 7a5d78de47cdd79bcb1b0e62a65e10705d59a7d9) Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch60
-rw-r--r--meta/recipes-connectivity/connman/connman_1.41.bb1
2 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..a6cabdfb20
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,60 @@
1From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
2From: Daniel Wagner <wagi@monom.org>
3Date: Tue, 11 Apr 2023 08:12:56 +0200
4Subject: gdhcp: Verify and sanitize packet length first
5
6Avoid overwriting the read packet length after the initial test. Thus
7move all the length checks which depends on the total length first
8and do not use the total lenght from the IP packet afterwards.
9
10Reported by Polina Smirnova <moe.hwr@gmail.com>
11
12CVE: CVE-2023-28488
13Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
14Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
15---
16 gdhcp/client.c | 16 +++++++++-------
17 1 file changed, 9 insertions(+), 7 deletions(-)
18
19diff --git a/gdhcp/client.c b/gdhcp/client.c
20index 3016dfc..28fa606 100644
21--- a/gdhcp/client.c
22+++ b/gdhcp/client.c
23@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
24 static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
25 struct sockaddr_in *dst_addr)
26 {
27- int bytes;
28 struct ip_udp_dhcp_packet packet;
29 uint16_t check;
30+ int bytes, tot_len;
31
32 memset(&packet, 0, sizeof(packet));
33
34@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
35 if (bytes < 0)
36 return -1;
37
38- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
39- return -1;
40-
41- if (bytes < ntohs(packet.ip.tot_len))
42+ tot_len = ntohs(packet.ip.tot_len);
43+ if (bytes > tot_len) {
44+ /* ignore any extra garbage bytes */
45+ bytes = tot_len;
46+ } else if (bytes < tot_len) {
47 /* packet is bigger than sizeof(packet), we did partial read */
48 return -1;
49+ }
50
51- /* ignore any extra garbage bytes */
52- bytes = ntohs(packet.ip.tot_len);
53+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
54+ return -1;
55
56 if (!sanity_check(&packet, bytes))
57 return -1;
58--
592.25.1
60
diff --git a/meta/recipes-connectivity/connman/connman_1.41.bb b/meta/recipes-connectivity/connman/connman_1.41.bb
index 79542b2175..27b28be41c 100644
--- a/meta/recipes-connectivity/connman/connman_1.41.bb
+++ b/meta/recipes-connectivity/connman/connman_1.41.bb
@@ -8,6 +8,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
8 file://CVE-2022-32293_p1.patch \ 8 file://CVE-2022-32293_p1.patch \
9 file://CVE-2022-32293_p2.patch \ 9 file://CVE-2022-32293_p2.patch \
10 file://CVE-2022-32292.patch \ 10 file://CVE-2022-32292.patch \
11 file://CVE-2023-28488.patch \
11 " 12 "
12 13
13SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" 14SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"