connman: Fix CVE-2023-28488 DoS in client.c

Avoid overwriting the read packet length after the initial test. Thus move all the length checks which depends on the total length first and do not use the total lenght from the IP packet afterwards. Fixes CVE-2023-28488 Reported by Polina Smirnova <moe.hwr@gmail.com> (From OE-Core rev: 47a9ae5592392bd10740e4571b06c8c739705058) Signed-off-by: Ashish Sharma <asharma@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Ashish Sharma <asharma@mvista.com> 2023-05-10 00:00:04 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-16 06:18:21 -1000
commit: f5051dae9f71a3faf0040e783f07e6fa256945a6 (patch)
tree: 93af59239ae3b579296fcf6b93f658c2b33c5842
parent: 97ffdc15190b68cc07f1198e69f239c62f90c8fe (diff)
download: poky-f5051dae9f71a3faf0040e783f07e6fa256945a6.tar.gz
2 files changed, 55 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..ea1601cc04
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
+From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 11 Apr 2023 08:12:56 +0200
+Subject: gdhcp: Verify and sanitize packet length first
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
+CVE: CVE-2023-28488
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+ gdhcp/client.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+diff --git a/gdhcp/client.c b/gdhcp/client.c
+index 7efa7e45..82017692 100644
+--- a/gdhcp/client.c
+++ b/gdhcp/client.c
+@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
+ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+                                struct sockaddr_in *dst_addr)
+ {
+-       int bytes;
+        struct ip_udp_dhcp_packet packet;
+        uint16_t check;
+       int bytes, tot_len;
+ 
+        memset(&packet, 0, sizeof(packet));
+ 
+@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
+        if (bytes < 0)
+                return -1;
+ 
+-       if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+-               return -1;
+-
+-       if (bytes < ntohs(packet.ip.tot_len))
+       tot_len = ntohs(packet.ip.tot_len);
+       if (bytes > tot_len) {
+               /* ignore any extra garbage bytes */
+               bytes = tot_len;
+       } else if (bytes < tot_len) {
+                /* packet is bigger than sizeof(packet), we did partial read */
+                return -1;
+       }
+ 
+-       /* ignore any extra garbage bytes */
+-       bytes = ntohs(packet.ip.tot_len);
+       if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+               return -1;
+ 
+        if (!sanity_check(&packet, bytes))
+                return -1;
+-- 
+cgit 
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 73d7f7527e..8062a094d3 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -14,6 +14,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://CVE-2022-23098.patch \
            file://CVE-2022-32292.patch \
             file://CVE-2022-32293.patch \
+            file://CVE-2023-28488.patch \
 "
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
author	Ashish Sharma <asharma@mvista.com>	2023-05-10 00:00:04 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-16 06:18:21 -1000
commit	f5051dae9f71a3faf0040e783f07e6fa256945a6 (patch)
tree	93af59239ae3b579296fcf6b93f658c2b33c5842
parent	97ffdc15190b68cc07f1198e69f239c62f90c8fe (diff)
download	poky-f5051dae9f71a3faf0040e783f07e6fa256945a6.tar.gz

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch new file mode 100644 index 0000000000..ea1601cc04 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
		1	From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
		2	From: Daniel Wagner <wagi@monom.org>
		3	Date: Tue, 11 Apr 2023 08:12:56 +0200
		4	Subject: gdhcp: Verify and sanitize packet length first
		5
		6	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
		7	CVE: CVE-2023-28488
		8	Signed-off-by: Ashish Sharma <asharma@mvista.com>
		9
		10	gdhcp/client.c \| 16 +++++++++-------
		11	1 file changed, 9 insertions(+), 7 deletions(-)
		12
		13	diff --git a/gdhcp/client.c b/gdhcp/client.c
		14	index 7efa7e45..82017692 100644
		15	--- a/gdhcp/client.c
		16	+++ b/gdhcp/client.c
		17	@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
		18	static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
		19	struct sockaddr_in *dst_addr)
		20	{
		21	- int bytes;
		22	struct ip_udp_dhcp_packet packet;
		23	uint16_t check;
		24	+ int bytes, tot_len;
		25
		26	memset(&packet, 0, sizeof(packet));
		27
		28	@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
		29	if (bytes < 0)
		30	return -1;
		31
		32	- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
		33	- return -1;
		34	-
		35	- if (bytes < ntohs(packet.ip.tot_len))
		36	+ tot_len = ntohs(packet.ip.tot_len);
		37	+ if (bytes > tot_len) {
		38	+ /* ignore any extra garbage bytes */
		39	+ bytes = tot_len;
		40	+ } else if (bytes < tot_len) {
		41	/* packet is bigger than sizeof(packet), we did partial read */
		42	return -1;
		43	+ }
		44
		45	- /* ignore any extra garbage bytes */
		46	- bytes = ntohs(packet.ip.tot_len);
		47	+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
		48	+ return -1;
		49
		50	if (!sanity_check(&packet, bytes))
		51	return -1;
		52	--
		53	cgit
		54


diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index 73d7f7527e..8062a094d3 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -14,6 +14,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
14	file://CVE-2022-23098.patch \	14	file://CVE-2022-23098.patch \
15	file://CVE-2022-32292.patch \	15	file://CVE-2022-32292.patch \
16	file://CVE-2022-32293.patch \	16	file://CVE-2022-32293.patch \
		17	file://CVE-2023-28488.patch \
17	"	18	"
18		19
19	SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"	20	SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"