summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-08-21 14:05:34 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-08-23 08:47:02 +0100
commit9086b525dd00f482ea68a384540cd30778413c9e (patch)
tree964deda3c0af8372664406c9ce0929b33bc6f9eb /meta
parentc55b3706124ef0298be3697a4dcf1fc121f45d75 (diff)
downloadpoky-9086b525dd00f482ea68a384540cd30778413c9e.tar.gz
connman: Fix for CVE-2017-12865
dnsproxy: Fix crash on malformed DNS response If the response query string is malformed, we might access memory pass the end of "name" variable in parse_response(). [YOCTO #11959] (From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch87
-rw-r--r--meta/recipes-connectivity/connman/connman_1.34.bb1
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 0000000000..45f78f10ea
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
1From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
2From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
3Date: Wed, 9 Aug 2017 10:16:46 +0300
4Subject: dnsproxy: Fix crash on malformed DNS response
5
6If the response query string is malformed, we might access memory
7pass the end of "name" variable in parse_response().
8
9CVE: CVE-2017-12865
10Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
11
12Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13---
14 src/dnsproxy.c | 16 ++++++++++------
15 1 file changed, 10 insertions(+), 6 deletions(-)
16
17diff --git a/src/dnsproxy.c b/src/dnsproxy.c
18index 38ac5bf..40b4f15 100644
19--- a/src/dnsproxy.c
20+++ b/src/dnsproxy.c
21@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto)
22 static int get_name(int counter,
23 unsigned char *pkt, unsigned char *start, unsigned char *max,
24 unsigned char *output, int output_max, int *output_len,
25- unsigned char **end, char *name, int *name_len)
26+ unsigned char **end, char *name, size_t max_name, int *name_len)
27 {
28 unsigned char *p;
29
30@@ -859,7 +859,7 @@ static int get_name(int counter,
31
32 return get_name(counter + 1, pkt, pkt + offset, max,
33 output, output_max, output_len, end,
34- name, name_len);
35+ name, max_name, name_len);
36 } else {
37 unsigned label_len = *p;
38
39@@ -869,6 +869,9 @@ static int get_name(int counter,
40 if (*output_len > output_max)
41 return -ENOBUFS;
42
43+ if ((*name_len + 1 + label_len + 1) > max_name)
44+ return -ENOBUFS;
45+
46 /*
47 * We need the original name in order to check
48 * if this answer is the correct one.
49@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
50 unsigned char *response, unsigned int *response_size,
51 uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
52 unsigned char **end,
53- char *name)
54+ char *name, size_t max_name)
55 {
56 struct domain_rr *rr;
57 int err, offset;
58 int name_len = 0, output_len = 0, max_rsp = *response_size;
59
60 err = get_name(0, buf, start, max, response, max_rsp,
61- &output_len, end, name, &name_len);
62+ &output_len, end, name, max_name, &name_len);
63 if (err < 0)
64 return err;
65
66@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
67 memset(rsp, 0, sizeof(rsp));
68
69 ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
70- type, class, ttl, &rdlen, &next, name);
71+ type, class, ttl, &rdlen, &next, name,
72+ sizeof(name) - 1);
73 if (ret != 0) {
74 err = ret;
75 goto out;
76@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
77 */
78 ret = get_name(0, buf, next - rdlen, buf + buflen,
79 rsp, rsp_len, &output_len, &end,
80- name, &name_len);
81+ name, sizeof(name) - 1, &name_len);
82 if (ret != 0) {
83 /* just ignore the error at this point */
84 ptr = next;
85--
86cgit v1.1
87
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb
index 868f940e1d..dc2c688f49 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
7 file://connman \ 7 file://connman \
8 file://no-version-scripts.patch \ 8 file://no-version-scripts.patch \
9 file://includes.patch \ 9 file://includes.patch \
10 file://CVE-2017-12865.patch \
10 " 11 "
11SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \ 12SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
12 " 13 "