diff options
Diffstat (limited to 'meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch')
-rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch | 121 |
1 files changed, 121 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch new file mode 100644 index 0000000000..7f27474830 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 25 Jan 2022 10:00:24 +0100 | ||
4 | Subject: dnsproxy: Validate input data before using them | ||
5 | |||
6 | dnsproxy is not validating various input data. Add a bunch of checks. | ||
7 | |||
8 | Fixes: CVE-2022-23097 | ||
9 | Fixes: CVE-2022-23096 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950 | ||
13 | |||
14 | CVE: CVE-2022-23096 CVE-2022-23097 | ||
15 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
16 | |||
17 | --- | ||
18 | src/dnsproxy.c | 31 ++++++++++++++++++++++++++----- | ||
19 | 1 file changed, 26 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
22 | index cdfafbc2..c027bcb9 100644 | ||
23 | --- a/src/dnsproxy.c | ||
24 | +++ b/src/dnsproxy.c | ||
25 | @@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
26 | |||
27 | if (offset < 0) | ||
28 | return offset; | ||
29 | + if (reply_len < 0) | ||
30 | + return -EINVAL; | ||
31 | + if (reply_len < offset + 1) | ||
32 | + return -EINVAL; | ||
33 | + if ((size_t)reply_len < sizeof(struct domain_hdr)) | ||
34 | + return -EINVAL; | ||
35 | |||
36 | hdr = (void *)(reply + offset); | ||
37 | dns_id = reply[offset] | reply[offset + 1] << 8; | ||
38 | @@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
39 | */ | ||
40 | if (req->append_domain && ntohs(hdr->qdcount) == 1) { | ||
41 | uint16_t domain_len = 0; | ||
42 | - uint16_t header_len; | ||
43 | + uint16_t header_len, payload_len; | ||
44 | uint16_t dns_type, dns_class; | ||
45 | uint8_t host_len, dns_type_pos; | ||
46 | char uncompressed[NS_MAXDNAME], *uptr; | ||
47 | char *ptr, *eom = (char *)reply + reply_len; | ||
48 | + char *domain; | ||
49 | |||
50 | /* | ||
51 | * ptr points to the first char of the hostname. | ||
52 | * ->hostname.domain.net | ||
53 | */ | ||
54 | header_len = offset + sizeof(struct domain_hdr); | ||
55 | + if (reply_len < header_len) | ||
56 | + return -EINVAL; | ||
57 | + payload_len = reply_len - header_len; | ||
58 | + | ||
59 | ptr = (char *)reply + header_len; | ||
60 | |||
61 | host_len = *ptr; | ||
62 | + domain = ptr + 1 + host_len; | ||
63 | + if (domain > eom) | ||
64 | + return -EINVAL; | ||
65 | + | ||
66 | if (host_len > 0) | ||
67 | - domain_len = strnlen(ptr + 1 + host_len, | ||
68 | - reply_len - header_len); | ||
69 | + domain_len = strnlen(domain, eom - domain); | ||
70 | |||
71 | /* | ||
72 | * If the query type is anything other than A or AAAA, | ||
73 | @@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
74 | */ | ||
75 | dns_type_pos = host_len + 1 + domain_len + 1; | ||
76 | |||
77 | + if (ptr + (dns_type_pos + 3) > eom) | ||
78 | + return -EINVAL; | ||
79 | dns_type = ptr[dns_type_pos] << 8 | | ||
80 | ptr[dns_type_pos + 1]; | ||
81 | dns_class = ptr[dns_type_pos + 2] << 8 | | ||
82 | @@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
83 | int new_len, fixed_len; | ||
84 | char *answers; | ||
85 | |||
86 | + if (len > payload_len) | ||
87 | + return -EINVAL; | ||
88 | /* | ||
89 | * First copy host (without domain name) into | ||
90 | * tmp buffer. | ||
91 | @@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
92 | * Copy type and class fields of the question. | ||
93 | */ | ||
94 | ptr += len + domain_len + 1; | ||
95 | + if (ptr + NS_QFIXEDSZ > eom) | ||
96 | + return -EINVAL; | ||
97 | memcpy(uptr, ptr, NS_QFIXEDSZ); | ||
98 | |||
99 | /* | ||
100 | @@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
101 | uptr += NS_QFIXEDSZ; | ||
102 | answers = uptr; | ||
103 | fixed_len = answers - uncompressed; | ||
104 | + if (ptr + offset > eom) | ||
105 | + return -EINVAL; | ||
106 | |||
107 | /* | ||
108 | * We then uncompress the result to buffer | ||
109 | @@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, | ||
110 | |||
111 | len = recv(sk, buf, sizeof(buf), 0); | ||
112 | |||
113 | - if (len >= 12) | ||
114 | - forward_dns_reply(buf, len, IPPROTO_UDP, data); | ||
115 | + forward_dns_reply(buf, len, IPPROTO_UDP, data); | ||
116 | |||
117 | return TRUE; | ||
118 | } | ||
119 | -- | ||
120 | cgit 1.2.3-1.el7 | ||
121 | |||