diff options
Diffstat (limited to 'meta/recipes-connectivity/connman/connman')
9 files changed, 926 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch new file mode 100644 index 0000000000..2648a832ca --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Wee <cwee@tesla.com> | ||
3 | Date: Thu, 28 Jan 2021 19:41:53 +0100 | ||
4 | Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow | ||
5 | |||
6 | Fixes: CVE-2021-26675 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-26675 | ||
10 | |||
11 | Reference to upstream patch: | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb | ||
13 | |||
14 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
15 | --- | ||
16 | src/dnsproxy.c | 14 +++++++++++--- | ||
17 | 1 file changed, 11 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
20 | index a7bf87a1..4f5c897f 100644 | ||
21 | --- a/src/dnsproxy.c | ||
22 | +++ b/src/dnsproxy.c | ||
23 | @@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
24 | char **uncompressed_ptr) | ||
25 | { | ||
26 | char *uptr = *uncompressed_ptr; /* position in result buffer */ | ||
27 | + char * const uncomp_end = uncompressed + uncomp_len - 1; | ||
28 | |||
29 | debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr); | ||
30 | |||
31 | @@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
32 | * tmp buffer. | ||
33 | */ | ||
34 | |||
35 | - ulen = strlen(name); | ||
36 | - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
37 | - | ||
38 | debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
39 | (int)(uncomp_len - (uptr - uncompressed)), uptr); | ||
40 | |||
41 | + ulen = strlen(name); | ||
42 | + if ((uptr + ulen + 1) > uncomp_end) { | ||
43 | + goto out; | ||
44 | + } | ||
45 | + strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
46 | + | ||
47 | uptr += ulen; | ||
48 | *uptr++ = '\0'; | ||
49 | |||
50 | @@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
51 | * We copy also the fixed portion of the result (type, class, | ||
52 | * ttl, address length and the address) | ||
53 | */ | ||
54 | + if ((uptr + NS_RRFIXEDSZ) > uncomp_end) { | ||
55 | + debug("uncompressed data too large for buffer"); | ||
56 | + goto out; | ||
57 | + } | ||
58 | memcpy(uptr, ptr, NS_RRFIXEDSZ); | ||
59 | |||
60 | dns_type = uptr[0] << 8 | uptr[1]; | ||
61 | -- | ||
62 | 2.17.1 | ||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch new file mode 100644 index 0000000000..4104e4bfc6 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch | |||
@@ -0,0 +1,231 @@ | |||
1 | From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Wee <cwee@tesla.com> | ||
3 | Date: Thu, 28 Jan 2021 19:39:14 +0100 | ||
4 | Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option | ||
5 | |||
6 | Upstream-Status: Backport | ||
7 | CVE: CVE-2021-26676 | ||
8 | |||
9 | Reference to upstream patch: | ||
10 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa | ||
11 | |||
12 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
13 | --- | ||
14 | gdhcp/client.c | 20 +++++++++++--------- | ||
15 | gdhcp/common.c | 24 +++++++++++++++++++----- | ||
16 | gdhcp/common.h | 2 +- | ||
17 | gdhcp/server.c | 12 +++++++----- | ||
18 | 4 files changed, 38 insertions(+), 20 deletions(-) | ||
19 | |||
20 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
21 | index 09dfe5ec..6a5613e7 100644 | ||
22 | --- a/gdhcp/client.c | ||
23 | +++ b/gdhcp/client.c | ||
24 | @@ -1629,12 +1629,12 @@ static void start_request(GDHCPClient *dhcp_client) | ||
25 | NULL); | ||
26 | } | ||
27 | |||
28 | -static uint32_t get_lease(struct dhcp_packet *packet) | ||
29 | +static uint32_t get_lease(struct dhcp_packet *packet, uint16_t packet_len) | ||
30 | { | ||
31 | uint8_t *option; | ||
32 | uint32_t lease_seconds; | ||
33 | |||
34 | - option = dhcp_get_option(packet, DHCP_LEASE_TIME); | ||
35 | + option = dhcp_get_option(packet, packet_len, DHCP_LEASE_TIME); | ||
36 | if (!option) | ||
37 | return 3600; | ||
38 | |||
39 | @@ -2226,7 +2226,8 @@ static void get_dhcpv6_request(GDHCPClient *dhcp_client, | ||
40 | } | ||
41 | } | ||
42 | |||
43 | -static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet) | ||
44 | +static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet, | ||
45 | + uint16_t packet_len) | ||
46 | { | ||
47 | GDHCPOptionType type; | ||
48 | GList *list, *value_list; | ||
49 | @@ -2237,7 +2238,7 @@ static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet) | ||
50 | for (list = dhcp_client->request_list; list; list = list->next) { | ||
51 | code = (uint8_t) GPOINTER_TO_INT(list->data); | ||
52 | |||
53 | - option = dhcp_get_option(packet, code); | ||
54 | + option = dhcp_get_option(packet, packet_len, code); | ||
55 | if (!option) { | ||
56 | g_hash_table_remove(dhcp_client->code_value_hash, | ||
57 | GINT_TO_POINTER((int) code)); | ||
58 | @@ -2297,6 +2298,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
59 | re = dhcp_recv_l2_packet(&packet, | ||
60 | dhcp_client->listener_sockfd, | ||
61 | &dst_addr); | ||
62 | + pkt_len = (uint16_t)(unsigned int)re; | ||
63 | xid = packet.xid; | ||
64 | } else if (dhcp_client->listen_mode == L3) { | ||
65 | if (dhcp_client->type == G_DHCP_IPV6) { | ||
66 | @@ -2361,7 +2363,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
67 | dhcp_client->status_code = status; | ||
68 | } | ||
69 | } else { | ||
70 | - message_type = dhcp_get_option(&packet, DHCP_MESSAGE_TYPE); | ||
71 | + message_type = dhcp_get_option(&packet, pkt_len, DHCP_MESSAGE_TYPE); | ||
72 | if (!message_type) | ||
73 | return TRUE; | ||
74 | } | ||
75 | @@ -2378,7 +2380,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
76 | dhcp_client->timeout = 0; | ||
77 | dhcp_client->retry_times = 0; | ||
78 | |||
79 | - option = dhcp_get_option(&packet, DHCP_SERVER_ID); | ||
80 | + option = dhcp_get_option(&packet, pkt_len, DHCP_SERVER_ID); | ||
81 | dhcp_client->server_ip = get_be32(option); | ||
82 | dhcp_client->requested_ip = ntohl(packet.yiaddr); | ||
83 | |||
84 | @@ -2428,9 +2430,9 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
85 | |||
86 | remove_timeouts(dhcp_client); | ||
87 | |||
88 | - dhcp_client->lease_seconds = get_lease(&packet); | ||
89 | + dhcp_client->lease_seconds = get_lease(&packet, pkt_len); | ||
90 | |||
91 | - get_request(dhcp_client, &packet); | ||
92 | + get_request(dhcp_client, &packet, pkt_len); | ||
93 | |||
94 | switch_listening_mode(dhcp_client, L_NONE); | ||
95 | |||
96 | @@ -2438,7 +2440,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
97 | dhcp_client->assigned_ip = get_ip(packet.yiaddr); | ||
98 | |||
99 | if (dhcp_client->state == REBOOTING) { | ||
100 | - option = dhcp_get_option(&packet, | ||
101 | + option = dhcp_get_option(&packet, pkt_len, | ||
102 | DHCP_SERVER_ID); | ||
103 | dhcp_client->server_ip = get_be32(option); | ||
104 | } | ||
105 | diff --git a/gdhcp/common.c b/gdhcp/common.c | ||
106 | index 1d667d17..c8916aa8 100644 | ||
107 | --- a/gdhcp/common.c | ||
108 | +++ b/gdhcp/common.c | ||
109 | @@ -73,18 +73,21 @@ GDHCPOptionType dhcp_get_code_type(uint8_t code) | ||
110 | return OPTION_UNKNOWN; | ||
111 | } | ||
112 | |||
113 | -uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code) | ||
114 | +uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code) | ||
115 | { | ||
116 | int len, rem; | ||
117 | - uint8_t *optionptr; | ||
118 | + uint8_t *optionptr, *options_end; | ||
119 | + size_t options_len; | ||
120 | uint8_t overload = 0; | ||
121 | |||
122 | /* option bytes: [code][len][data1][data2]..[dataLEN] */ | ||
123 | optionptr = packet->options; | ||
124 | rem = sizeof(packet->options); | ||
125 | + options_len = packet_len - (sizeof(*packet) - sizeof(packet->options)); | ||
126 | + options_end = optionptr + options_len - 1; | ||
127 | |||
128 | while (1) { | ||
129 | - if (rem <= 0) | ||
130 | + if ((rem <= 0) && (optionptr + OPT_CODE > options_end)) | ||
131 | /* Bad packet, malformed option field */ | ||
132 | return NULL; | ||
133 | |||
134 | @@ -115,14 +118,25 @@ uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code) | ||
135 | break; | ||
136 | } | ||
137 | |||
138 | + if (optionptr + OPT_LEN > options_end) { | ||
139 | + /* bad packet, would read length field from OOB */ | ||
140 | + return NULL; | ||
141 | + } | ||
142 | + | ||
143 | len = 2 + optionptr[OPT_LEN]; | ||
144 | |||
145 | rem -= len; | ||
146 | if (rem < 0) | ||
147 | continue; /* complain and return NULL */ | ||
148 | |||
149 | - if (optionptr[OPT_CODE] == code) | ||
150 | - return optionptr + OPT_DATA; | ||
151 | + if (optionptr[OPT_CODE] == code) { | ||
152 | + if (optionptr + len > options_end) { | ||
153 | + /* bad packet, option length points OOB */ | ||
154 | + return NULL; | ||
155 | + } else { | ||
156 | + return optionptr + OPT_DATA; | ||
157 | + } | ||
158 | + } | ||
159 | |||
160 | if (optionptr[OPT_CODE] == DHCP_OPTION_OVERLOAD) | ||
161 | overload |= optionptr[OPT_DATA]; | ||
162 | diff --git a/gdhcp/common.h b/gdhcp/common.h | ||
163 | index 9660231c..8f63fd75 100644 | ||
164 | --- a/gdhcp/common.h | ||
165 | +++ b/gdhcp/common.h | ||
166 | @@ -179,7 +179,7 @@ struct in6_pktinfo { | ||
167 | }; | ||
168 | #endif | ||
169 | |||
170 | -uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code); | ||
171 | +uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code); | ||
172 | uint8_t *dhcpv6_get_option(struct dhcpv6_packet *packet, uint16_t pkt_len, | ||
173 | int code, uint16_t *option_len, int *option_count); | ||
174 | uint8_t *dhcpv6_get_sub_option(unsigned char *option, uint16_t max_len, | ||
175 | diff --git a/gdhcp/server.c b/gdhcp/server.c | ||
176 | index 85405f19..52ea2a55 100644 | ||
177 | --- a/gdhcp/server.c | ||
178 | +++ b/gdhcp/server.c | ||
179 | @@ -413,7 +413,7 @@ error: | ||
180 | } | ||
181 | |||
182 | |||
183 | -static uint8_t check_packet_type(struct dhcp_packet *packet) | ||
184 | +static uint8_t check_packet_type(struct dhcp_packet *packet, uint16_t packet_len) | ||
185 | { | ||
186 | uint8_t *type; | ||
187 | |||
188 | @@ -423,7 +423,7 @@ static uint8_t check_packet_type(struct dhcp_packet *packet) | ||
189 | if (packet->op != BOOTREQUEST) | ||
190 | return 0; | ||
191 | |||
192 | - type = dhcp_get_option(packet, DHCP_MESSAGE_TYPE); | ||
193 | + type = dhcp_get_option(packet, packet_len, DHCP_MESSAGE_TYPE); | ||
194 | |||
195 | if (!type) | ||
196 | return 0; | ||
197 | @@ -651,6 +651,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
198 | struct dhcp_lease *lease; | ||
199 | uint32_t requested_nip = 0; | ||
200 | uint8_t type, *server_id_option, *request_ip_option; | ||
201 | + uint16_t packet_len; | ||
202 | int re; | ||
203 | |||
204 | if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) { | ||
205 | @@ -661,12 +662,13 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
206 | re = dhcp_recv_l3_packet(&packet, dhcp_server->listener_sockfd); | ||
207 | if (re < 0) | ||
208 | return TRUE; | ||
209 | + packet_len = (uint16_t)(unsigned int)re; | ||
210 | |||
211 | - type = check_packet_type(&packet); | ||
212 | + type = check_packet_type(&packet, packet_len); | ||
213 | if (type == 0) | ||
214 | return TRUE; | ||
215 | |||
216 | - server_id_option = dhcp_get_option(&packet, DHCP_SERVER_ID); | ||
217 | + server_id_option = dhcp_get_option(&packet, packet_len, DHCP_SERVER_ID); | ||
218 | if (server_id_option) { | ||
219 | uint32_t server_nid = | ||
220 | get_unaligned((const uint32_t *) server_id_option); | ||
221 | @@ -675,7 +677,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
222 | return TRUE; | ||
223 | } | ||
224 | |||
225 | - request_ip_option = dhcp_get_option(&packet, DHCP_REQUESTED_IP); | ||
226 | + request_ip_option = dhcp_get_option(&packet, packet_len, DHCP_REQUESTED_IP); | ||
227 | if (request_ip_option) | ||
228 | requested_nip = get_be32(request_ip_option); | ||
229 | |||
230 | -- | ||
231 | 2.17.1 | ||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch new file mode 100644 index 0000000000..ce909ec293 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 Mon Sep 17 00:00:00 2001 | ||
2 | From: Colin Wee <cwee@tesla.com> | ||
3 | Date: Thu, 28 Jan 2021 19:41:09 +0100 | ||
4 | Subject: [PATCH] gdhcp: Avoid leaking stack data via unitiialized variable | ||
5 | |||
6 | Fixes: CVE-2021-26676 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-26676 | ||
10 | |||
11 | Reference to upstream patch: | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 | ||
13 | |||
14 | Signed-off-by: Catalin Enache <catalin.enache@windriver.com> | ||
15 | --- | ||
16 | gdhcp/client.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
20 | index 6a5613e7..c7b85e58 100644 | ||
21 | --- a/gdhcp/client.c | ||
22 | +++ b/gdhcp/client.c | ||
23 | @@ -2270,7 +2270,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition, | ||
24 | { | ||
25 | GDHCPClient *dhcp_client = user_data; | ||
26 | struct sockaddr_in dst_addr = { 0 }; | ||
27 | - struct dhcp_packet packet; | ||
28 | + struct dhcp_packet packet = { 0 }; | ||
29 | struct dhcpv6_packet *packet6 = NULL; | ||
30 | uint8_t *message_type = NULL, *client_id = NULL, *option, | ||
31 | *server_id = NULL; | ||
32 | -- | ||
33 | 2.17.1 | ||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch new file mode 100644 index 0000000000..770948fb69 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 | ||
2 | From: Valery Kashcheev <v.kascheev@omp.ru> | ||
3 | Date: Mon, 7 Jun 2021 18:58:24 +0200 | ||
4 | Subject: dnsproxy: Check the length of buffers before memcpy | ||
5 | |||
6 | Fix using a stack-based buffer overflow attack by checking the length of | ||
7 | the ptr and uptr buffers. | ||
8 | |||
9 | Fix debug message output. | ||
10 | |||
11 | Fixes: CVE-2021-33833 | ||
12 | |||
13 | Upstream-Status: Backport | ||
14 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c | ||
15 | CVE: CVE-2021-33833 | ||
16 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
17 | |||
18 | --- | ||
19 | src/dnsproxy.c | 20 +++++++++++--------- | ||
20 | 1 file changed, 11 insertions(+), 9 deletions(-) | ||
21 | |||
22 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
23 | index de52df5a..38dbdd71 100644 | ||
24 | --- a/src/dnsproxy.c | ||
25 | +++ b/src/dnsproxy.c | ||
26 | @@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
27 | * tmp buffer. | ||
28 | */ | ||
29 | |||
30 | - debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
31 | - (int)(uncomp_len - (uptr - uncompressed)), uptr); | ||
32 | - | ||
33 | - ulen = strlen(name); | ||
34 | - if ((uptr + ulen + 1) > uncomp_end) { | ||
35 | + ulen = strlen(name) + 1; | ||
36 | + if ((uptr + ulen) > uncomp_end) | ||
37 | goto out; | ||
38 | - } | ||
39 | - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); | ||
40 | + strncpy(uptr, name, ulen); | ||
41 | + | ||
42 | + debug("pos %d ulen %d left %d name %s", pos, ulen, | ||
43 | + (int)(uncomp_end - (uptr + ulen)), uptr); | ||
44 | |||
45 | uptr += ulen; | ||
46 | - *uptr++ = '\0'; | ||
47 | |||
48 | ptr += pos; | ||
49 | |||
50 | @@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
51 | } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { | ||
52 | dlen = uptr[-2] << 8 | uptr[-1]; | ||
53 | |||
54 | - if (ptr + dlen > end) { | ||
55 | + if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { | ||
56 | debug("data len %d too long", dlen); | ||
57 | goto out; | ||
58 | } | ||
59 | @@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, | ||
60 | * refresh interval, retry interval, expiration | ||
61 | * limit and minimum ttl). They are 20 bytes long. | ||
62 | */ | ||
63 | + if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { | ||
64 | + debug("soa record too long"); | ||
65 | + goto out; | ||
66 | + } | ||
67 | memcpy(uptr, ptr, 20); | ||
68 | uptr += 20; | ||
69 | ptr += 20; | ||
70 | -- | ||
71 | cgit 1.2.3-1.el7 | ||
72 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch new file mode 100644 index 0000000000..7f27474830 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch | |||
@@ -0,0 +1,121 @@ | |||
1 | From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 25 Jan 2022 10:00:24 +0100 | ||
4 | Subject: dnsproxy: Validate input data before using them | ||
5 | |||
6 | dnsproxy is not validating various input data. Add a bunch of checks. | ||
7 | |||
8 | Fixes: CVE-2022-23097 | ||
9 | Fixes: CVE-2022-23096 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950 | ||
13 | |||
14 | CVE: CVE-2022-23096 CVE-2022-23097 | ||
15 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
16 | |||
17 | --- | ||
18 | src/dnsproxy.c | 31 ++++++++++++++++++++++++++----- | ||
19 | 1 file changed, 26 insertions(+), 5 deletions(-) | ||
20 | |||
21 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
22 | index cdfafbc2..c027bcb9 100644 | ||
23 | --- a/src/dnsproxy.c | ||
24 | +++ b/src/dnsproxy.c | ||
25 | @@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
26 | |||
27 | if (offset < 0) | ||
28 | return offset; | ||
29 | + if (reply_len < 0) | ||
30 | + return -EINVAL; | ||
31 | + if (reply_len < offset + 1) | ||
32 | + return -EINVAL; | ||
33 | + if ((size_t)reply_len < sizeof(struct domain_hdr)) | ||
34 | + return -EINVAL; | ||
35 | |||
36 | hdr = (void *)(reply + offset); | ||
37 | dns_id = reply[offset] | reply[offset + 1] << 8; | ||
38 | @@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
39 | */ | ||
40 | if (req->append_domain && ntohs(hdr->qdcount) == 1) { | ||
41 | uint16_t domain_len = 0; | ||
42 | - uint16_t header_len; | ||
43 | + uint16_t header_len, payload_len; | ||
44 | uint16_t dns_type, dns_class; | ||
45 | uint8_t host_len, dns_type_pos; | ||
46 | char uncompressed[NS_MAXDNAME], *uptr; | ||
47 | char *ptr, *eom = (char *)reply + reply_len; | ||
48 | + char *domain; | ||
49 | |||
50 | /* | ||
51 | * ptr points to the first char of the hostname. | ||
52 | * ->hostname.domain.net | ||
53 | */ | ||
54 | header_len = offset + sizeof(struct domain_hdr); | ||
55 | + if (reply_len < header_len) | ||
56 | + return -EINVAL; | ||
57 | + payload_len = reply_len - header_len; | ||
58 | + | ||
59 | ptr = (char *)reply + header_len; | ||
60 | |||
61 | host_len = *ptr; | ||
62 | + domain = ptr + 1 + host_len; | ||
63 | + if (domain > eom) | ||
64 | + return -EINVAL; | ||
65 | + | ||
66 | if (host_len > 0) | ||
67 | - domain_len = strnlen(ptr + 1 + host_len, | ||
68 | - reply_len - header_len); | ||
69 | + domain_len = strnlen(domain, eom - domain); | ||
70 | |||
71 | /* | ||
72 | * If the query type is anything other than A or AAAA, | ||
73 | @@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
74 | */ | ||
75 | dns_type_pos = host_len + 1 + domain_len + 1; | ||
76 | |||
77 | + if (ptr + (dns_type_pos + 3) > eom) | ||
78 | + return -EINVAL; | ||
79 | dns_type = ptr[dns_type_pos] << 8 | | ||
80 | ptr[dns_type_pos + 1]; | ||
81 | dns_class = ptr[dns_type_pos + 2] << 8 | | ||
82 | @@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
83 | int new_len, fixed_len; | ||
84 | char *answers; | ||
85 | |||
86 | + if (len > payload_len) | ||
87 | + return -EINVAL; | ||
88 | /* | ||
89 | * First copy host (without domain name) into | ||
90 | * tmp buffer. | ||
91 | @@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
92 | * Copy type and class fields of the question. | ||
93 | */ | ||
94 | ptr += len + domain_len + 1; | ||
95 | + if (ptr + NS_QFIXEDSZ > eom) | ||
96 | + return -EINVAL; | ||
97 | memcpy(uptr, ptr, NS_QFIXEDSZ); | ||
98 | |||
99 | /* | ||
100 | @@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, | ||
101 | uptr += NS_QFIXEDSZ; | ||
102 | answers = uptr; | ||
103 | fixed_len = answers - uncompressed; | ||
104 | + if (ptr + offset > eom) | ||
105 | + return -EINVAL; | ||
106 | |||
107 | /* | ||
108 | * We then uncompress the result to buffer | ||
109 | @@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, | ||
110 | |||
111 | len = recv(sk, buf, sizeof(buf), 0); | ||
112 | |||
113 | - if (len >= 12) | ||
114 | - forward_dns_reply(buf, len, IPPROTO_UDP, data); | ||
115 | + forward_dns_reply(buf, len, IPPROTO_UDP, data); | ||
116 | |||
117 | return TRUE; | ||
118 | } | ||
119 | -- | ||
120 | cgit 1.2.3-1.el7 | ||
121 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch new file mode 100644 index 0000000000..a40c9f583f --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthias Gerstner <mgerstner@suse.de> | ||
3 | Date: Tue, 25 Jan 2022 10:00:25 +0100 | ||
4 | Subject: dnsproxy: Avoid 100 % busy loop in TCP server case | ||
5 | |||
6 | Once the TCP socket is connected and until the remote server is | ||
7 | responding (if ever) ConnMan executes a 100 % CPU loop, since | ||
8 | the connected socket will always be writable (G_IO_OUT). | ||
9 | |||
10 | To fix this, modify the watch after the connection is established to | ||
11 | remove the G_IO_OUT from the callback conditions. | ||
12 | |||
13 | Fixes: CVE-2022-23098 | ||
14 | |||
15 | Upstream-Status: Backport | ||
16 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 | ||
17 | |||
18 | CVE: CVE-2022-23098 | ||
19 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
20 | |||
21 | --- | ||
22 | src/dnsproxy.c | 12 ++++++++++++ | ||
23 | 1 file changed, 12 insertions(+) | ||
24 | |||
25 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
26 | index c027bcb9..1ccf36a9 100644 | ||
27 | --- a/src/dnsproxy.c | ||
28 | +++ b/src/dnsproxy.c | ||
29 | @@ -2360,6 +2360,18 @@ hangup: | ||
30 | } | ||
31 | } | ||
32 | |||
33 | + /* | ||
34 | + * Remove the G_IO_OUT flag from the watch, otherwise we end | ||
35 | + * up in a busy loop, because the socket is constantly writable. | ||
36 | + * | ||
37 | + * There seems to be no better way in g_io to do that than | ||
38 | + * re-adding the watch. | ||
39 | + */ | ||
40 | + g_source_remove(server->watch); | ||
41 | + server->watch = g_io_add_watch(server->channel, | ||
42 | + G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR, | ||
43 | + tcp_server_event, server); | ||
44 | + | ||
45 | server->connected = true; | ||
46 | server_list = g_slist_append(server_list, server); | ||
47 | |||
48 | -- | ||
49 | cgit 1.2.3-1.el7 | ||
50 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Nathan Crandall <ncrandall@tesla.com> | ||
3 | Date: Tue, 12 Jul 2022 08:56:34 +0200 | ||
4 | Subject: gweb: Fix OOB write in received_data() | ||
5 | |||
6 | There is a mismatch of handling binary vs. C-string data with memchr | ||
7 | and strlen, resulting in pos, count, and bytes_read to become out of | ||
8 | sync and result in a heap overflow. Instead, do not treat the buffer | ||
9 | as an ASCII C-string. We calculate the count based on the return value | ||
10 | of memchr, instead of strlen. | ||
11 | |||
12 | Fixes: CVE-2022-32292 | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b | ||
16 | CVE: CVE-2022-32292 | ||
17 | Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> | ||
18 | --- | ||
19 | gweb/gweb.c | 2 +- | ||
20 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/gweb/gweb.c b/gweb/gweb.c | ||
23 | index 12fcb1d8..13c6c5f2 100644 | ||
24 | --- a/gweb/gweb.c | ||
25 | +++ b/gweb/gweb.c | ||
26 | @@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, | ||
27 | } | ||
28 | |||
29 | *pos = '\0'; | ||
30 | - count = strlen((char *) ptr); | ||
31 | + count = pos - ptr; | ||
32 | if (count > 0 && ptr[count - 1] == '\r') { | ||
33 | ptr[--count] = '\0'; | ||
34 | bytes_read--; | ||
35 | -- | ||
36 | cgit | ||
37 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch new file mode 100644 index 0000000000..83a013981c --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch | |||
@@ -0,0 +1,266 @@ | |||
1 | From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Tue, 20 Sep 2022 17:58:19 +0530 | ||
4 | Subject: [PATCH] CVE-2022-32293 | ||
5 | |||
6 | CVE: CVE-2022-32293 | ||
7 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a] | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | --- | ||
10 | src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++------------- | ||
11 | 1 file changed, 63 insertions(+), 20 deletions(-) | ||
12 | |||
13 | diff --git a/src/wispr.c b/src/wispr.c | ||
14 | index 473c0e0..97e0242 100644 | ||
15 | --- a/src/wispr.c | ||
16 | +++ b/src/wispr.c | ||
17 | @@ -59,6 +59,7 @@ struct wispr_route { | ||
18 | }; | ||
19 | |||
20 | struct connman_wispr_portal_context { | ||
21 | + int refcount; | ||
22 | struct connman_service *service; | ||
23 | enum connman_ipconfig_type type; | ||
24 | struct connman_wispr_portal *wispr_portal; | ||
25 | @@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data); | ||
26 | |||
27 | static GHashTable *wispr_portal_list = NULL; | ||
28 | |||
29 | +#define wispr_portal_context_ref(wp_context) \ | ||
30 | + wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__) | ||
31 | +#define wispr_portal_context_unref(wp_context) \ | ||
32 | + wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__) | ||
33 | + | ||
34 | static void connman_wispr_message_init(struct connman_wispr_message *msg) | ||
35 | { | ||
36 | - DBG(""); | ||
37 | - | ||
38 | msg->has_error = false; | ||
39 | msg->current_element = NULL; | ||
40 | |||
41 | @@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context) | ||
42 | static void free_connman_wispr_portal_context( | ||
43 | struct connman_wispr_portal_context *wp_context) | ||
44 | { | ||
45 | - DBG("context %p", wp_context); | ||
46 | - | ||
47 | - if (!wp_context) | ||
48 | - return; | ||
49 | - | ||
50 | if (wp_context->wispr_portal) { | ||
51 | if (wp_context->wispr_portal->ipv4_context == wp_context) | ||
52 | wp_context->wispr_portal->ipv4_context = NULL; | ||
53 | @@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context( | ||
54 | g_free(wp_context); | ||
55 | } | ||
56 | |||
57 | +static struct connman_wispr_portal_context * | ||
58 | +wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context, | ||
59 | + const char *file, int line, const char *caller) | ||
60 | +{ | ||
61 | + DBG("%p ref %d by %s:%d:%s()", wp_context, | ||
62 | + wp_context->refcount + 1, file, line, caller); | ||
63 | + | ||
64 | + __sync_fetch_and_add(&wp_context->refcount, 1); | ||
65 | + | ||
66 | + return wp_context; | ||
67 | +} | ||
68 | + | ||
69 | +static void wispr_portal_context_unref_debug( | ||
70 | + struct connman_wispr_portal_context *wp_context, | ||
71 | + const char *file, int line, const char *caller) | ||
72 | +{ | ||
73 | + if (!wp_context) | ||
74 | + return; | ||
75 | + | ||
76 | + DBG("%p ref %d by %s:%d:%s()", wp_context, | ||
77 | + wp_context->refcount - 1, file, line, caller); | ||
78 | + | ||
79 | + if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1) | ||
80 | + return; | ||
81 | + | ||
82 | + free_connman_wispr_portal_context(wp_context); | ||
83 | +} | ||
84 | + | ||
85 | static struct connman_wispr_portal_context *create_wispr_portal_context(void) | ||
86 | { | ||
87 | - return g_try_new0(struct connman_wispr_portal_context, 1); | ||
88 | + return wispr_portal_context_ref( | ||
89 | + g_new0(struct connman_wispr_portal_context, 1)); | ||
90 | } | ||
91 | |||
92 | static void free_connman_wispr_portal(gpointer data) | ||
93 | @@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data) | ||
94 | if (!wispr_portal) | ||
95 | return; | ||
96 | |||
97 | - free_connman_wispr_portal_context(wispr_portal->ipv4_context); | ||
98 | - free_connman_wispr_portal_context(wispr_portal->ipv6_context); | ||
99 | + wispr_portal_context_unref(wispr_portal->ipv4_context); | ||
100 | + wispr_portal_context_unref(wispr_portal->ipv6_context); | ||
101 | |||
102 | g_free(wispr_portal); | ||
103 | } | ||
104 | @@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result, | ||
105 | &str)) | ||
106 | connman_info("Client-Timezone: %s", str); | ||
107 | |||
108 | - free_connman_wispr_portal_context(wp_context); | ||
109 | - | ||
110 | __connman_service_ipconfig_indicate_state(service, | ||
111 | CONNMAN_SERVICE_STATE_ONLINE, type); | ||
112 | } | ||
113 | @@ -509,14 +535,17 @@ static void wispr_portal_request_portal( | ||
114 | { | ||
115 | DBG(""); | ||
116 | |||
117 | + wispr_portal_context_ref(wp_context); | ||
118 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
119 | wp_context->status_url, | ||
120 | wispr_portal_web_result, | ||
121 | wispr_route_request, | ||
122 | wp_context); | ||
123 | |||
124 | - if (wp_context->request_id == 0) | ||
125 | + if (wp_context->request_id == 0) { | ||
126 | wispr_portal_error(wp_context); | ||
127 | + wispr_portal_context_unref(wp_context); | ||
128 | + } | ||
129 | } | ||
130 | |||
131 | static bool wispr_input(const guint8 **data, gsize *length, | ||
132 | @@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service, | ||
133 | return; | ||
134 | |||
135 | if (!authentication_done) { | ||
136 | - wispr_portal_error(wp_context); | ||
137 | free_wispr_routes(wp_context); | ||
138 | + wispr_portal_error(wp_context); | ||
139 | + wispr_portal_context_unref(wp_context); | ||
140 | return; | ||
141 | } | ||
142 | |||
143 | /* Restarting the test */ | ||
144 | __connman_service_wispr_start(service, wp_context->type); | ||
145 | + wispr_portal_context_unref(wp_context); | ||
146 | } | ||
147 | |||
148 | static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
149 | @@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service, | ||
150 | return; | ||
151 | } | ||
152 | |||
153 | - free_connman_wispr_portal_context(wp_context); | ||
154 | + wispr_portal_context_unref(wp_context); | ||
155 | return; | ||
156 | } | ||
157 | |||
158 | @@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result, | ||
159 | |||
160 | wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN; | ||
161 | |||
162 | + wispr_portal_context_ref(wp_context); | ||
163 | if (__connman_agent_request_login_input(wp_context->service, | ||
164 | wispr_portal_request_wispr_login, | ||
165 | - wp_context) != -EINPROGRESS) | ||
166 | + wp_context) != -EINPROGRESS) { | ||
167 | wispr_portal_error(wp_context); | ||
168 | - else | ||
169 | + wispr_portal_context_unref(wp_context); | ||
170 | + } else | ||
171 | return true; | ||
172 | |||
173 | break; | ||
174 | @@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
175 | if (length > 0) { | ||
176 | g_web_parser_feed_data(wp_context->wispr_parser, | ||
177 | chunk, length); | ||
178 | + wispr_portal_context_unref(wp_context); | ||
179 | return true; | ||
180 | } | ||
181 | |||
182 | @@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
183 | |||
184 | switch (status) { | ||
185 | case 000: | ||
186 | + wispr_portal_context_ref(wp_context); | ||
187 | __connman_agent_request_browser(wp_context->service, | ||
188 | wispr_portal_browser_reply_cb, | ||
189 | wp_context->status_url, wp_context); | ||
190 | @@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
191 | if (g_web_result_get_header(result, "X-ConnMan-Status", | ||
192 | &str)) { | ||
193 | portal_manage_status(result, wp_context); | ||
194 | + wispr_portal_context_unref(wp_context); | ||
195 | return false; | ||
196 | - } else | ||
197 | + } else { | ||
198 | + wispr_portal_context_ref(wp_context); | ||
199 | __connman_agent_request_browser(wp_context->service, | ||
200 | wispr_portal_browser_reply_cb, | ||
201 | wp_context->redirect_url, wp_context); | ||
202 | + } | ||
203 | |||
204 | break; | ||
205 | case 302: | ||
206 | @@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
207 | !g_web_result_get_header(result, "Location", | ||
208 | &redirect)) { | ||
209 | |||
210 | + wispr_portal_context_ref(wp_context); | ||
211 | __connman_agent_request_browser(wp_context->service, | ||
212 | wispr_portal_browser_reply_cb, | ||
213 | wp_context->status_url, wp_context); | ||
214 | @@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
215 | |||
216 | wp_context->redirect_url = g_strdup(redirect); | ||
217 | |||
218 | + wispr_portal_context_ref(wp_context); | ||
219 | wp_context->request_id = g_web_request_get(wp_context->web, | ||
220 | redirect, wispr_portal_web_result, | ||
221 | wispr_route_request, wp_context); | ||
222 | @@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
223 | |||
224 | break; | ||
225 | case 505: | ||
226 | + wispr_portal_context_ref(wp_context); | ||
227 | __connman_agent_request_browser(wp_context->service, | ||
228 | wispr_portal_browser_reply_cb, | ||
229 | wp_context->status_url, wp_context); | ||
230 | @@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data) | ||
231 | wp_context->request_id = 0; | ||
232 | done: | ||
233 | wp_context->wispr_msg.message_type = -1; | ||
234 | + wispr_portal_context_unref(wp_context); | ||
235 | return false; | ||
236 | } | ||
237 | |||
238 | @@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data) | ||
239 | xml_wispr_parser_callback, wp_context); | ||
240 | |||
241 | wispr_portal_request_portal(wp_context); | ||
242 | + wispr_portal_context_unref(wp_context); | ||
243 | } | ||
244 | |||
245 | static gboolean no_proxy_callback(gpointer user_data) | ||
246 | @@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context) | ||
247 | |||
248 | if (wp_context->token == 0) { | ||
249 | err = -EINVAL; | ||
250 | - free_connman_wispr_portal_context(wp_context); | ||
251 | + wispr_portal_context_unref(wp_context); | ||
252 | } | ||
253 | } else if (wp_context->timeout == 0) { | ||
254 | wp_context->timeout = g_idle_add(no_proxy_callback, wp_context); | ||
255 | @@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service, | ||
256 | |||
257 | /* If there is already an existing context, we wipe it */ | ||
258 | if (wp_context) | ||
259 | - free_connman_wispr_portal_context(wp_context); | ||
260 | + wispr_portal_context_unref(wp_context); | ||
261 | |||
262 | wp_context = create_wispr_portal_context(); | ||
263 | if (!wp_context) | ||
264 | -- | ||
265 | 2.25.1 | ||
266 | |||
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch new file mode 100644 index 0000000000..ea1601cc04 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch | |||
@@ -0,0 +1,54 @@ | |||
1 | From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Wagner <wagi@monom.org> | ||
3 | Date: Tue, 11 Apr 2023 08:12:56 +0200 | ||
4 | Subject: gdhcp: Verify and sanitize packet length first | ||
5 | |||
6 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138] | ||
7 | CVE: CVE-2023-28488 | ||
8 | Signed-off-by: Ashish Sharma <asharma@mvista.com> | ||
9 | |||
10 | gdhcp/client.c | 16 +++++++++------- | ||
11 | 1 file changed, 9 insertions(+), 7 deletions(-) | ||
12 | |||
13 | diff --git a/gdhcp/client.c b/gdhcp/client.c | ||
14 | index 7efa7e45..82017692 100644 | ||
15 | --- a/gdhcp/client.c | ||
16 | +++ b/gdhcp/client.c | ||
17 | @@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) | ||
18 | static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, | ||
19 | struct sockaddr_in *dst_addr) | ||
20 | { | ||
21 | - int bytes; | ||
22 | struct ip_udp_dhcp_packet packet; | ||
23 | uint16_t check; | ||
24 | + int bytes, tot_len; | ||
25 | |||
26 | memset(&packet, 0, sizeof(packet)); | ||
27 | |||
28 | @@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, | ||
29 | if (bytes < 0) | ||
30 | return -1; | ||
31 | |||
32 | - if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) | ||
33 | - return -1; | ||
34 | - | ||
35 | - if (bytes < ntohs(packet.ip.tot_len)) | ||
36 | + tot_len = ntohs(packet.ip.tot_len); | ||
37 | + if (bytes > tot_len) { | ||
38 | + /* ignore any extra garbage bytes */ | ||
39 | + bytes = tot_len; | ||
40 | + } else if (bytes < tot_len) { | ||
41 | /* packet is bigger than sizeof(packet), we did partial read */ | ||
42 | return -1; | ||
43 | + } | ||
44 | |||
45 | - /* ignore any extra garbage bytes */ | ||
46 | - bytes = ntohs(packet.ip.tot_len); | ||
47 | + if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) | ||
48 | + return -1; | ||
49 | |||
50 | if (!sanity_check(&packet, bytes)) | ||
51 | return -1; | ||
52 | -- | ||
53 | cgit | ||
54 | |||