1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
new file mode 100644
index 0000000000..7f27474830
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
@@ -0,0 +1,121 @@
+From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001
+From: Daniel Wagner <wagi@monom.org>
+Date: Tue, 25 Jan 2022 10:00:24 +0100
+Subject: dnsproxy: Validate input data before using them
+dnsproxy is not validating various input data. Add a bunch of checks.
+Fixes: CVE-2022-23097
+Fixes: CVE-2022-23096
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950
+CVE: CVE-2022-23096 CVE-2022-23097
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/dnsproxy.c | 31 ++++++++++++++++++++++++++-----
+ 1 file changed, 26 insertions(+), 5 deletions(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index cdfafbc2..c027bcb9 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+ 
+        if (offset < 0)
+                return offset;
+       if (reply_len < 0)
+               return -EINVAL;
+       if (reply_len < offset + 1)
+               return -EINVAL;
+       if ((size_t)reply_len < sizeof(struct domain_hdr))
+               return -EINVAL;
+ 
+        hdr = (void *)(reply + offset);
+        dns_id = reply[offset] | reply[offset + 1] << 8;
+@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                 */
+                if (req->append_domain && ntohs(hdr->qdcount) == 1) {
+                        uint16_t domain_len = 0;
+-                       uint16_t header_len;
+                       uint16_t header_len, payload_len;
+                        uint16_t dns_type, dns_class;
+                        uint8_t host_len, dns_type_pos;
+                        char uncompressed[NS_MAXDNAME], *uptr;
+                        char *ptr, *eom = (char *)reply + reply_len;
+                       char *domain;
+ 
+                        /*
+                         * ptr points to the first char of the hostname.
+                         * ->hostname.domain.net
+                         */
+                        header_len = offset + sizeof(struct domain_hdr);
+                       if (reply_len < header_len)
+                               return -EINVAL;
+                       payload_len = reply_len - header_len;
+
+                        ptr = (char *)reply + header_len;
+ 
+                        host_len = *ptr;
+                       domain = ptr + 1 + host_len;
+                       if (domain > eom)
+                               return -EINVAL;
+
+                        if (host_len > 0)
+-                               domain_len = strnlen(ptr + 1 + host_len,
+-                                               reply_len - header_len);
+                               domain_len = strnlen(domain, eom - domain);
+ 
+                        /*
+                         * If the query type is anything other than A or AAAA,
+@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                         */
+                        dns_type_pos = host_len + 1 + domain_len + 1;
+ 
+                       if (ptr + (dns_type_pos + 3) > eom)
+                               return -EINVAL;
+                        dns_type = ptr[dns_type_pos] << 8 |
+                                                        ptr[dns_type_pos + 1];
+                        dns_class = ptr[dns_type_pos + 2] << 8 |
+@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                                int new_len, fixed_len;
+                                char *answers;
+ 
+                               if (len > payload_len)
+                                       return -EINVAL;
+                                /*
+                                 * First copy host (without domain name) into
+                                 * tmp buffer.
+@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                                 * Copy type and class fields of the question.
+                                 */
+                                ptr += len + domain_len + 1;
+                               if (ptr + NS_QFIXEDSZ > eom)
+                                       return -EINVAL;
+                                memcpy(uptr, ptr, NS_QFIXEDSZ);
+ 
+                                /*
+@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
+                                uptr += NS_QFIXEDSZ;
+                                answers = uptr;
+                                fixed_len = answers - uncompressed;
+                               if (ptr + offset > eom)
+                                       return -EINVAL;
+ 
+                                /*
+                                 * We then uncompress the result to buffer
+@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition,
+ 
+        len = recv(sk, buf, sizeof(buf), 0);
+ 
+-       if (len >= 12)
+-               forward_dns_reply(buf, len, IPPROTO_UDP, data);
+       forward_dns_reply(buf, len, IPPROTO_UDP, data);
+ 
+        return TRUE;
+ }
+-- 
+cgit 1.2.3-1.el7

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch new file mode 100644 index 0000000000..7f27474830 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
@@ -0,0 +1,121 @@
	1	From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001
	2	From: Daniel Wagner <wagi@monom.org>
	3	Date: Tue, 25 Jan 2022 10:00:24 +0100
	4	Subject: dnsproxy: Validate input data before using them
	5
	6	dnsproxy is not validating various input data. Add a bunch of checks.
	7
	8	Fixes: CVE-2022-23097
	9	Fixes: CVE-2022-23096
	10
	11	Upstream-Status: Backport
	12	https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950
	13
	14	CVE: CVE-2022-23096 CVE-2022-23097
	15	Signed-off-by: Steve Sakoman <steve@sakoman.com>
	16
	17	---
	18	src/dnsproxy.c \| 31 ++++++++++++++++++++++++++-----
	19	1 file changed, 26 insertions(+), 5 deletions(-)
	20
	21	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
	22	index cdfafbc2..c027bcb9 100644
	23	--- a/src/dnsproxy.c
	24	+++ b/src/dnsproxy.c
	25	@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
	26
	27	if (offset < 0)
	28	return offset;
	29	+ if (reply_len < 0)
	30	+ return -EINVAL;
	31	+ if (reply_len < offset + 1)
	32	+ return -EINVAL;
	33	+ if ((size_t)reply_len < sizeof(struct domain_hdr))
	34	+ return -EINVAL;
	35
	36	hdr = (void *)(reply + offset);
	37	dns_id = reply[offset] \| reply[offset + 1] << 8;
	38	@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
	39	*/
	40	if (req->append_domain && ntohs(hdr->qdcount) == 1) {
	41	uint16_t domain_len = 0;
	42	- uint16_t header_len;
	43	+ uint16_t header_len, payload_len;
	44	uint16_t dns_type, dns_class;
	45	uint8_t host_len, dns_type_pos;
	46	char uncompressed[NS_MAXDNAME], *uptr;
	47	char ptr, eom = (char *)reply + reply_len;
	48	+ char *domain;
	49
	50	/*
	51	* ptr points to the first char of the hostname.
	52	* ->hostname.domain.net
	53	*/
	54	header_len = offset + sizeof(struct domain_hdr);
	55	+ if (reply_len < header_len)
	56	+ return -EINVAL;
	57	+ payload_len = reply_len - header_len;
	58	+
	59	ptr = (char *)reply + header_len;
	60
	61	host_len = *ptr;
	62	+ domain = ptr + 1 + host_len;
	63	+ if (domain > eom)
	64	+ return -EINVAL;
	65	+
	66	if (host_len > 0)
	67	- domain_len = strnlen(ptr + 1 + host_len,
	68	- reply_len - header_len);
	69	+ domain_len = strnlen(domain, eom - domain);
	70
	71	/*
	72	* If the query type is anything other than A or AAAA,
	73	@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
	74	*/
	75	dns_type_pos = host_len + 1 + domain_len + 1;
	76
	77	+ if (ptr + (dns_type_pos + 3) > eom)
	78	+ return -EINVAL;
	79	dns_type = ptr[dns_type_pos] << 8 \|
	80	ptr[dns_type_pos + 1];
	81	dns_class = ptr[dns_type_pos + 2] << 8 \|
	82	@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
	83	int new_len, fixed_len;
	84	char *answers;
	85
	86	+ if (len > payload_len)
	87	+ return -EINVAL;
	88	/*
	89	* First copy host (without domain name) into
	90	* tmp buffer.
	91	@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
	92	* Copy type and class fields of the question.
	93	*/
	94	ptr += len + domain_len + 1;
	95	+ if (ptr + NS_QFIXEDSZ > eom)
	96	+ return -EINVAL;
	97	memcpy(uptr, ptr, NS_QFIXEDSZ);
	98
	99	/*
	100	@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
	101	uptr += NS_QFIXEDSZ;
	102	answers = uptr;
	103	fixed_len = answers - uncompressed;
	104	+ if (ptr + offset > eom)
	105	+ return -EINVAL;
	106
	107	/*
	108	* We then uncompress the result to buffer
	109	@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition,
	110
	111	len = recv(sk, buf, sizeof(buf), 0);
	112
	113	- if (len >= 12)
	114	- forward_dns_reply(buf, len, IPPROTO_UDP, data);
	115	+ forward_dns_reply(buf, len, IPPROTO_UDP, data);
	116
	117	return TRUE;
	118	}
	119	--
	120	cgit 1.2.3-1.el7
	121