1 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 0000000000..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
+From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
+From: Colin Wee <cwee@tesla.com>
+Date: Thu, 28 Jan 2021 19:41:53 +0100
+Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
+Fixes: CVE-2021-26675
+Upstream-Status: Backport
+CVE: CVE-2021-26675
+Reference to upstream patch:
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
+Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
+---
+ src/dnsproxy.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index a7bf87a1..4f5c897f 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                        char **uncompressed_ptr)
+ {
+        char *uptr = *uncompressed_ptr; /* position in result buffer */
+       char * const uncomp_end = uncompressed + uncomp_len - 1;
+        debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
+@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * tmp buffer.
+                 */
+-               ulen = strlen(name);
+-               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+-
+                debug("pos %d ulen %d left %d name %s", pos, ulen,
+                        (int)(uncomp_len - (uptr - uncompressed)), uptr);
+               ulen = strlen(name);
+               if ((uptr + ulen + 1) > uncomp_end) {
+                       goto out;
+               }
+               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+
+                uptr += ulen;
+                *uptr++ = '\0';
+@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * We copy also the fixed portion of the result (type, class,
+                 * ttl, address length and the address)
+                 */
+               if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
+                       debug("uncompressed data too large for buffer");
+                       goto out;
+               }
+                memcpy(uptr, ptr, NS_RRFIXEDSZ);
+                dns_type = uptr[0] << 8 | uptr[1];
+--
+2.17.1

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch new file mode 100644 index 0000000000..2648a832ca --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
	1	From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
	2	From: Colin Wee <cwee@tesla.com>
	3	Date: Thu, 28 Jan 2021 19:41:53 +0100
	4	Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
	5
	6	Fixes: CVE-2021-26675
	7
	8	Upstream-Status: Backport
	9	CVE: CVE-2021-26675
	10
	11	Reference to upstream patch:
	12	https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
	13
	14	Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
	15	---
	16	src/dnsproxy.c \| 14 +++++++++++---
	17	1 file changed, 11 insertions(+), 3 deletions(-)
	18
	19	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
	20	index a7bf87a1..4f5c897f 100644
	21	--- a/src/dnsproxy.c
	22	+++ b/src/dnsproxy.c
	23	@@ -1767,6 +1767,7 @@ static char uncompress(int16_t field_count, char start, char *end,
	24	char **uncompressed_ptr)
	25	{
	26	char uptr = uncompressed_ptr; /* position in result buffer */
	27	+ char * const uncomp_end = uncompressed + uncomp_len - 1;
	28
	29	debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
	30
	31	@@ -1787,12 +1788,15 @@ static char uncompress(int16_t field_count, char start, char *end,
	32	* tmp buffer.
	33	*/
	34
	35	- ulen = strlen(name);
	36	- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
	37	-
	38	debug("pos %d ulen %d left %d name %s", pos, ulen,
	39	(int)(uncomp_len - (uptr - uncompressed)), uptr);
	40
	41	+ ulen = strlen(name);
	42	+ if ((uptr + ulen + 1) > uncomp_end) {
	43	+ goto out;
	44	+ }
	45	+ strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
	46	+
	47	uptr += ulen;
	48	*uptr++ = '\0';
	49
	50	@@ -1802,6 +1806,10 @@ static char uncompress(int16_t field_count, char start, char *end,
	51	* We copy also the fixed portion of the result (type, class,
	52	* ttl, address length and the address)
	53	*/
	54	+ if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
	55	+ debug("uncompressed data too large for buffer");
	56	+ goto out;
	57	+ }
	58	memcpy(uptr, ptr, NS_RRFIXEDSZ);
	59
	60	dns_type = uptr[0] << 8 \| uptr[1];
	61	--
	62	2.17.1