diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-08-21 14:05:34 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-23 08:47:02 +0100 |
commit | 9086b525dd00f482ea68a384540cd30778413c9e (patch) | |
tree | 964deda3c0af8372664406c9ce0929b33bc6f9eb /meta | |
parent | c55b3706124ef0298be3697a4dcf1fc121f45d75 (diff) | |
download | poky-9086b525dd00f482ea68a384540cd30778413c9e.tar.gz |
connman: Fix for CVE-2017-12865
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch | 87 | ||||
-rw-r--r-- | meta/recipes-connectivity/connman/connman_1.34.bb | 1 |
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch new file mode 100644 index 0000000000..45f78f10ea --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch | |||
@@ -0,0 +1,87 @@ | |||
1 | From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001 | ||
2 | From: Jukka Rissanen <jukka.rissanen@linux.intel.com> | ||
3 | Date: Wed, 9 Aug 2017 10:16:46 +0300 | ||
4 | Subject: dnsproxy: Fix crash on malformed DNS response | ||
5 | |||
6 | If the response query string is malformed, we might access memory | ||
7 | pass the end of "name" variable in parse_response(). | ||
8 | |||
9 | CVE: CVE-2017-12865 | ||
10 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71] | ||
11 | |||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | src/dnsproxy.c | 16 ++++++++++------ | ||
15 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
16 | |||
17 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
18 | index 38ac5bf..40b4f15 100644 | ||
19 | --- a/src/dnsproxy.c | ||
20 | +++ b/src/dnsproxy.c | ||
21 | @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto) | ||
22 | static int get_name(int counter, | ||
23 | unsigned char *pkt, unsigned char *start, unsigned char *max, | ||
24 | unsigned char *output, int output_max, int *output_len, | ||
25 | - unsigned char **end, char *name, int *name_len) | ||
26 | + unsigned char **end, char *name, size_t max_name, int *name_len) | ||
27 | { | ||
28 | unsigned char *p; | ||
29 | |||
30 | @@ -859,7 +859,7 @@ static int get_name(int counter, | ||
31 | |||
32 | return get_name(counter + 1, pkt, pkt + offset, max, | ||
33 | output, output_max, output_len, end, | ||
34 | - name, name_len); | ||
35 | + name, max_name, name_len); | ||
36 | } else { | ||
37 | unsigned label_len = *p; | ||
38 | |||
39 | @@ -869,6 +869,9 @@ static int get_name(int counter, | ||
40 | if (*output_len > output_max) | ||
41 | return -ENOBUFS; | ||
42 | |||
43 | + if ((*name_len + 1 + label_len + 1) > max_name) | ||
44 | + return -ENOBUFS; | ||
45 | + | ||
46 | /* | ||
47 | * We need the original name in order to check | ||
48 | * if this answer is the correct one. | ||
49 | @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start, | ||
50 | unsigned char *response, unsigned int *response_size, | ||
51 | uint16_t *type, uint16_t *class, int *ttl, int *rdlen, | ||
52 | unsigned char **end, | ||
53 | - char *name) | ||
54 | + char *name, size_t max_name) | ||
55 | { | ||
56 | struct domain_rr *rr; | ||
57 | int err, offset; | ||
58 | int name_len = 0, output_len = 0, max_rsp = *response_size; | ||
59 | |||
60 | err = get_name(0, buf, start, max, response, max_rsp, | ||
61 | - &output_len, end, name, &name_len); | ||
62 | + &output_len, end, name, max_name, &name_len); | ||
63 | if (err < 0) | ||
64 | return err; | ||
65 | |||
66 | @@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen, | ||
67 | memset(rsp, 0, sizeof(rsp)); | ||
68 | |||
69 | ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len, | ||
70 | - type, class, ttl, &rdlen, &next, name); | ||
71 | + type, class, ttl, &rdlen, &next, name, | ||
72 | + sizeof(name) - 1); | ||
73 | if (ret != 0) { | ||
74 | err = ret; | ||
75 | goto out; | ||
76 | @@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen, | ||
77 | */ | ||
78 | ret = get_name(0, buf, next - rdlen, buf + buflen, | ||
79 | rsp, rsp_len, &output_len, &end, | ||
80 | - name, &name_len); | ||
81 | + name, sizeof(name) - 1, &name_len); | ||
82 | if (ret != 0) { | ||
83 | /* just ignore the error at this point */ | ||
84 | ptr = next; | ||
85 | -- | ||
86 | cgit v1.1 | ||
87 | |||
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb index 868f940e1d..dc2c688f49 100644 --- a/meta/recipes-connectivity/connman/connman_1.34.bb +++ b/meta/recipes-connectivity/connman/connman_1.34.bb | |||
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ | |||
7 | file://connman \ | 7 | file://connman \ |
8 | file://no-version-scripts.patch \ | 8 | file://no-version-scripts.patch \ |
9 | file://includes.patch \ | 9 | file://includes.patch \ |
10 | file://CVE-2017-12865.patch \ | ||
10 | " | 11 | " |
11 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \ | 12 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \ |
12 | " | 13 | " |