2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 0000000000..45f78f10ea
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+CVE: CVE-2017-12865
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ src/dnsproxy.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto)
+ static int get_name(int counter,
+                unsigned char *pkt, unsigned char *start, unsigned char *max,
+                unsigned char *output, int output_max, int *output_len,
+-               unsigned char **end, char *name, int *name_len)
+               unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+        unsigned char *p;
+ 
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+ 
+                        return get_name(counter + 1, pkt, pkt + offset, max,
+                                        output, output_max, output_len, end,
+-                                       name, name_len);
+                                       name, max_name, name_len);
+                } else {
+                        unsigned label_len = *p;
+ 
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+                        if (*output_len > output_max)
+                                return -ENOBUFS;
+ 
+                       if ((*name_len + 1 + label_len + 1) > max_name)
+                               return -ENOBUFS;
+
+                        /*
+                         * We need the original name in order to check
+                         * if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+                        unsigned char *response, unsigned int *response_size,
+                        uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+                        unsigned char **end,
+-                       char *name)
+                       char *name, size_t max_name)
+ {
+        struct domain_rr *rr;
+        int err, offset;
+        int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+        err = get_name(0, buf, start, max, response, max_rsp,
+-               &output_len, end, name, &name_len);
+                       &output_len, end, name, max_name, &name_len);
+        if (err < 0)
+                return err;
+ 
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+                memset(rsp, 0, sizeof(rsp));
+ 
+                ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
+-                       type, class, ttl, &rdlen, &next, name);
+                       type, class, ttl, &rdlen, &next, name,
+                       sizeof(name) - 1);
+                if (ret != 0) {
+                        err = ret;
+                        goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+                         */
+                        ret = get_name(0, buf, next - rdlen, buf + buflen,
+                                        rsp, rsp_len, &output_len, &end,
+-                                       name, &name_len);
+                                       name, sizeof(name) - 1, &name_len);
+                        if (ret != 0) {
+                                /* just ignore the error at this point */
+                                ptr = next;
+-- 
+cgit v1.1
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb
index 868f940e1d..dc2c688f49 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://connman \
            file://no-version-scripts.patch \
            file://includes.patch \
+            file://CVE-2017-12865.patch \
            "
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
                             "

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch new file mode 100644 index 0000000000..45f78f10ea --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
		1	From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
		2	From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
		3	Date: Wed, 9 Aug 2017 10:16:46 +0300
		4	Subject: dnsproxy: Fix crash on malformed DNS response
		5
		6	If the response query string is malformed, we might access memory
		7	pass the end of "name" variable in parse_response().
		8
		9	CVE: CVE-2017-12865
		10	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
		11
		12	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		13	---
		14	src/dnsproxy.c \| 16 ++++++++++------
		15	1 file changed, 10 insertions(+), 6 deletions(-)
		16
		17	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
		18	index 38ac5bf..40b4f15 100644
		19	--- a/src/dnsproxy.c
		20	+++ b/src/dnsproxy.c
		21	@@ -838,7 +838,7 @@ static struct cache_entry cache_check(gpointer request, int qtype, int proto)
		22	static int get_name(int counter,
		23	unsigned char pkt, unsigned char start, unsigned char *max,
		24	unsigned char output, int output_max, int output_len,
		25	- unsigned char *end, char name, int *name_len)
		26	+ unsigned char *end, char name, size_t max_name, int *name_len)
		27	{
		28	unsigned char *p;
		29
		30	@@ -859,7 +859,7 @@ static int get_name(int counter,
		31
		32	return get_name(counter + 1, pkt, pkt + offset, max,
		33	output, output_max, output_len, end,
		34	- name, name_len);
		35	+ name, max_name, name_len);
		36	} else {
		37	unsigned label_len = *p;
		38
		39	@@ -869,6 +869,9 @@ static int get_name(int counter,
		40	if (*output_len > output_max)
		41	return -ENOBUFS;
		42
		43	+ if ((*name_len + 1 + label_len + 1) > max_name)
		44	+ return -ENOBUFS;
		45	+
		46	/*
		47	* We need the original name in order to check
		48	* if this answer is the correct one.
		49	@@ -900,14 +903,14 @@ static int parse_rr(unsigned char buf, unsigned char start,
		50	unsigned char response, unsigned int response_size,
		51	uint16_t type, uint16_t class, int ttl, int rdlen,
		52	unsigned char **end,
		53	- char *name)
		54	+ char *name, size_t max_name)
		55	{
		56	struct domain_rr *rr;
		57	int err, offset;
		58	int name_len = 0, output_len = 0, max_rsp = *response_size;
		59
		60	err = get_name(0, buf, start, max, response, max_rsp,
		61	- &output_len, end, name, &name_len);
		62	+ &output_len, end, name, max_name, &name_len);
		63	if (err < 0)
		64	return err;
		65
		66	@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
		67	memset(rsp, 0, sizeof(rsp));
		68
		69	ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
		70	- type, class, ttl, &rdlen, &next, name);
		71	+ type, class, ttl, &rdlen, &next, name,
		72	+ sizeof(name) - 1);
		73	if (ret != 0) {
		74	err = ret;
		75	goto out;
		76	@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
		77	*/
		78	ret = get_name(0, buf, next - rdlen, buf + buflen,
		79	rsp, rsp_len, &output_len, &end,
		80	- name, &name_len);
		81	+ name, sizeof(name) - 1, &name_len);
		82	if (ret != 0) {
		83	/* just ignore the error at this point */
		84	ptr = next;
		85	--
		86	cgit v1.1
		87


diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb index 868f940e1d..dc2c688f49 100644 --- a/meta/recipes-connectivity/connman/connman_1.34.bb +++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
7	file://connman \	7	file://connman \
8	file://no-version-scripts.patch \	8	file://no-version-scripts.patch \
9	file://includes.patch \	9	file://includes.patch \
		10	file://CVE-2017-12865.patch \
10	"	11	"
11	SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \	12	SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
12	"	13	"