connman: fix CVE-2021-26675, CVE-2021-26676

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39
could be used by network adjacent attackers to execute code.

gdhcp in ConnMan before 1.39 could be used by network-adjacent.
attackers to leak sensitive stack information, allowing further
exploitation of bugs in gdhcp.

References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26675
https://nvd.nist.gov/vuln/detail/CVE-2021-26676

Upstream patches:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1

(From OE-Core rev: 3c78000aaf8e4ee8ffb7674f5c286e2c110f167b)

Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
Signed-off-by: Randy MacLeod <Randy.MacLeod@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

1 files changed, 62 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 0000000000..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
+From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:41:53 +0100
+Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
+
+Fixes: CVE-2021-26675
+
+Upstream-Status: Backport
+CVE: CVE-2021-26675
+
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
+
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/dnsproxy.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index a7bf87a1..4f5c897f 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                        char **uncompressed_ptr)
+ {
+        char *uptr = *uncompressed_ptr; /* position in result buffer */
++       char * const uncomp_end = uncompressed + uncomp_len - 1;
+
+        debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
+
+@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * tmp buffer.
+                 */
+
+-               ulen = strlen(name);
+-               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+-
+                debug("pos %d ulen %d left %d name %s", pos, ulen,
+                        (int)(uncomp_len - (uptr - uncompressed)), uptr);
+
++               ulen = strlen(name);
++               if ((uptr + ulen + 1) > uncomp_end) {
++                       goto out;
++               }
++               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++
+                uptr += ulen;
+                *uptr++ = '\0';
+
+@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * We copy also the fixed portion of the result (type, class,
+                 * ttl, address length and the address)
+                 */
++               if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
++                       debug("uncompressed data too large for buffer");
++                       goto out;
++               }
+                memcpy(uptr, ptr, NS_RRFIXEDSZ);
+
+                dns_type = uptr[0] << 8 | uptr[1];
+--
+2.17.1