summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/connman
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/connman')
-rw-r--r--meta/recipes-connectivity/connman/connman-gnome_0.7.bb2
-rw-r--r--meta/recipes-connectivity/connman/connman.inc2
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch62
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch231
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch33
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch72
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch121
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch50
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch37
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch266
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch54
-rw-r--r--meta/recipes-connectivity/connman/connman_1.37.bb9
12 files changed, 938 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
index 778bf50191..24593d6258 100644
--- a/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
+++ b/meta/recipes-connectivity/connman/connman-gnome_0.7.bb
@@ -10,7 +10,7 @@ DEPENDS = "gtk+3 dbus-glib dbus-glib-native intltool-native gettext-native"
10 10
11# 0.7 tag 11# 0.7 tag
12SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143" 12SRCREV = "cf3c325b23dae843c5499a113591cfbc98acb143"
13SRC_URI = "git://github.com/connectivity/connman-gnome.git \ 13SRC_URI = "git://github.com/connectivity/connman-gnome.git;branch=master;protocol=https \
14 file://0001-Removed-icon-from-connman-gnome-about-applet.patch \ 14 file://0001-Removed-icon-from-connman-gnome-about-applet.patch \
15 file://null_check_for_ipv4_config.patch \ 15 file://null_check_for_ipv4_config.patch \
16 file://images/* \ 16 file://images/* \
diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index 55e5bf97c7..c495ae29ad 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -15,6 +15,8 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
15 15
16inherit autotools pkgconfig systemd update-rc.d update-alternatives 16inherit autotools pkgconfig systemd update-rc.d update-alternatives
17 17
18CVE_PRODUCT = "connman connection_manager"
19
18DEPENDS = "dbus glib-2.0 ppp" 20DEPENDS = "dbus glib-2.0 ppp"
19 21
20INC_PR = "r20" 22INC_PR = "r20"
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
new file mode 100644
index 0000000000..2648a832ca
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26675.patch
@@ -0,0 +1,62 @@
1From e4079a20f617a4b076af503f6e4e8b0304c9f2cb Mon Sep 17 00:00:00 2001
2From: Colin Wee <cwee@tesla.com>
3Date: Thu, 28 Jan 2021 19:41:53 +0100
4Subject: [PATCH] dnsproxy: Add length checks to prevent buffer overflow
5
6Fixes: CVE-2021-26675
7
8Upstream-Status: Backport
9CVE: CVE-2021-26675
10
11Reference to upstream patch:
12https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e4079a20f617a4b076af503f6e4e8b0304c9f2cb
13
14Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
15---
16 src/dnsproxy.c | 14 +++++++++++---
17 1 file changed, 11 insertions(+), 3 deletions(-)
18
19diff --git a/src/dnsproxy.c b/src/dnsproxy.c
20index a7bf87a1..4f5c897f 100644
21--- a/src/dnsproxy.c
22+++ b/src/dnsproxy.c
23@@ -1767,6 +1767,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
24 char **uncompressed_ptr)
25 {
26 char *uptr = *uncompressed_ptr; /* position in result buffer */
27+ char * const uncomp_end = uncompressed + uncomp_len - 1;
28
29 debug("count %d ptr %p end %p uptr %p", field_count, ptr, end, uptr);
30
31@@ -1787,12 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
32 * tmp buffer.
33 */
34
35- ulen = strlen(name);
36- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
37-
38 debug("pos %d ulen %d left %d name %s", pos, ulen,
39 (int)(uncomp_len - (uptr - uncompressed)), uptr);
40
41+ ulen = strlen(name);
42+ if ((uptr + ulen + 1) > uncomp_end) {
43+ goto out;
44+ }
45+ strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
46+
47 uptr += ulen;
48 *uptr++ = '\0';
49
50@@ -1802,6 +1806,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
51 * We copy also the fixed portion of the result (type, class,
52 * ttl, address length and the address)
53 */
54+ if ((uptr + NS_RRFIXEDSZ) > uncomp_end) {
55+ debug("uncompressed data too large for buffer");
56+ goto out;
57+ }
58 memcpy(uptr, ptr, NS_RRFIXEDSZ);
59
60 dns_type = uptr[0] << 8 | uptr[1];
61--
622.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
new file mode 100644
index 0000000000..4104e4bfc6
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0001.patch
@@ -0,0 +1,231 @@
1From 58d397ba74873384aee449690a9070bacd5676fa Mon Sep 17 00:00:00 2001
2From: Colin Wee <cwee@tesla.com>
3Date: Thu, 28 Jan 2021 19:39:14 +0100
4Subject: [PATCH] gdhcp: Avoid reading invalid data in dhcp_get_option
5
6Upstream-Status: Backport
7CVE: CVE-2021-26676
8
9Reference to upstream patch:
10https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=58d397ba74873384aee449690a9070bacd5676fa
11
12Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
13---
14 gdhcp/client.c | 20 +++++++++++---------
15 gdhcp/common.c | 24 +++++++++++++++++++-----
16 gdhcp/common.h | 2 +-
17 gdhcp/server.c | 12 +++++++-----
18 4 files changed, 38 insertions(+), 20 deletions(-)
19
20diff --git a/gdhcp/client.c b/gdhcp/client.c
21index 09dfe5ec..6a5613e7 100644
22--- a/gdhcp/client.c
23+++ b/gdhcp/client.c
24@@ -1629,12 +1629,12 @@ static void start_request(GDHCPClient *dhcp_client)
25 NULL);
26 }
27
28-static uint32_t get_lease(struct dhcp_packet *packet)
29+static uint32_t get_lease(struct dhcp_packet *packet, uint16_t packet_len)
30 {
31 uint8_t *option;
32 uint32_t lease_seconds;
33
34- option = dhcp_get_option(packet, DHCP_LEASE_TIME);
35+ option = dhcp_get_option(packet, packet_len, DHCP_LEASE_TIME);
36 if (!option)
37 return 3600;
38
39@@ -2226,7 +2226,8 @@ static void get_dhcpv6_request(GDHCPClient *dhcp_client,
40 }
41 }
42
43-static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
44+static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet,
45+ uint16_t packet_len)
46 {
47 GDHCPOptionType type;
48 GList *list, *value_list;
49@@ -2237,7 +2238,7 @@ static void get_request(GDHCPClient *dhcp_client, struct dhcp_packet *packet)
50 for (list = dhcp_client->request_list; list; list = list->next) {
51 code = (uint8_t) GPOINTER_TO_INT(list->data);
52
53- option = dhcp_get_option(packet, code);
54+ option = dhcp_get_option(packet, packet_len, code);
55 if (!option) {
56 g_hash_table_remove(dhcp_client->code_value_hash,
57 GINT_TO_POINTER((int) code));
58@@ -2297,6 +2298,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
59 re = dhcp_recv_l2_packet(&packet,
60 dhcp_client->listener_sockfd,
61 &dst_addr);
62+ pkt_len = (uint16_t)(unsigned int)re;
63 xid = packet.xid;
64 } else if (dhcp_client->listen_mode == L3) {
65 if (dhcp_client->type == G_DHCP_IPV6) {
66@@ -2361,7 +2363,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
67 dhcp_client->status_code = status;
68 }
69 } else {
70- message_type = dhcp_get_option(&packet, DHCP_MESSAGE_TYPE);
71+ message_type = dhcp_get_option(&packet, pkt_len, DHCP_MESSAGE_TYPE);
72 if (!message_type)
73 return TRUE;
74 }
75@@ -2378,7 +2380,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
76 dhcp_client->timeout = 0;
77 dhcp_client->retry_times = 0;
78
79- option = dhcp_get_option(&packet, DHCP_SERVER_ID);
80+ option = dhcp_get_option(&packet, pkt_len, DHCP_SERVER_ID);
81 dhcp_client->server_ip = get_be32(option);
82 dhcp_client->requested_ip = ntohl(packet.yiaddr);
83
84@@ -2428,9 +2430,9 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
85
86 remove_timeouts(dhcp_client);
87
88- dhcp_client->lease_seconds = get_lease(&packet);
89+ dhcp_client->lease_seconds = get_lease(&packet, pkt_len);
90
91- get_request(dhcp_client, &packet);
92+ get_request(dhcp_client, &packet, pkt_len);
93
94 switch_listening_mode(dhcp_client, L_NONE);
95
96@@ -2438,7 +2440,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
97 dhcp_client->assigned_ip = get_ip(packet.yiaddr);
98
99 if (dhcp_client->state == REBOOTING) {
100- option = dhcp_get_option(&packet,
101+ option = dhcp_get_option(&packet, pkt_len,
102 DHCP_SERVER_ID);
103 dhcp_client->server_ip = get_be32(option);
104 }
105diff --git a/gdhcp/common.c b/gdhcp/common.c
106index 1d667d17..c8916aa8 100644
107--- a/gdhcp/common.c
108+++ b/gdhcp/common.c
109@@ -73,18 +73,21 @@ GDHCPOptionType dhcp_get_code_type(uint8_t code)
110 return OPTION_UNKNOWN;
111 }
112
113-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
114+uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code)
115 {
116 int len, rem;
117- uint8_t *optionptr;
118+ uint8_t *optionptr, *options_end;
119+ size_t options_len;
120 uint8_t overload = 0;
121
122 /* option bytes: [code][len][data1][data2]..[dataLEN] */
123 optionptr = packet->options;
124 rem = sizeof(packet->options);
125+ options_len = packet_len - (sizeof(*packet) - sizeof(packet->options));
126+ options_end = optionptr + options_len - 1;
127
128 while (1) {
129- if (rem <= 0)
130+ if ((rem <= 0) && (optionptr + OPT_CODE > options_end))
131 /* Bad packet, malformed option field */
132 return NULL;
133
134@@ -115,14 +118,25 @@ uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code)
135 break;
136 }
137
138+ if (optionptr + OPT_LEN > options_end) {
139+ /* bad packet, would read length field from OOB */
140+ return NULL;
141+ }
142+
143 len = 2 + optionptr[OPT_LEN];
144
145 rem -= len;
146 if (rem < 0)
147 continue; /* complain and return NULL */
148
149- if (optionptr[OPT_CODE] == code)
150- return optionptr + OPT_DATA;
151+ if (optionptr[OPT_CODE] == code) {
152+ if (optionptr + len > options_end) {
153+ /* bad packet, option length points OOB */
154+ return NULL;
155+ } else {
156+ return optionptr + OPT_DATA;
157+ }
158+ }
159
160 if (optionptr[OPT_CODE] == DHCP_OPTION_OVERLOAD)
161 overload |= optionptr[OPT_DATA];
162diff --git a/gdhcp/common.h b/gdhcp/common.h
163index 9660231c..8f63fd75 100644
164--- a/gdhcp/common.h
165+++ b/gdhcp/common.h
166@@ -179,7 +179,7 @@ struct in6_pktinfo {
167 };
168 #endif
169
170-uint8_t *dhcp_get_option(struct dhcp_packet *packet, int code);
171+uint8_t *dhcp_get_option(struct dhcp_packet *packet, uint16_t packet_len, int code);
172 uint8_t *dhcpv6_get_option(struct dhcpv6_packet *packet, uint16_t pkt_len,
173 int code, uint16_t *option_len, int *option_count);
174 uint8_t *dhcpv6_get_sub_option(unsigned char *option, uint16_t max_len,
175diff --git a/gdhcp/server.c b/gdhcp/server.c
176index 85405f19..52ea2a55 100644
177--- a/gdhcp/server.c
178+++ b/gdhcp/server.c
179@@ -413,7 +413,7 @@ error:
180 }
181
182
183-static uint8_t check_packet_type(struct dhcp_packet *packet)
184+static uint8_t check_packet_type(struct dhcp_packet *packet, uint16_t packet_len)
185 {
186 uint8_t *type;
187
188@@ -423,7 +423,7 @@ static uint8_t check_packet_type(struct dhcp_packet *packet)
189 if (packet->op != BOOTREQUEST)
190 return 0;
191
192- type = dhcp_get_option(packet, DHCP_MESSAGE_TYPE);
193+ type = dhcp_get_option(packet, packet_len, DHCP_MESSAGE_TYPE);
194
195 if (!type)
196 return 0;
197@@ -651,6 +651,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
198 struct dhcp_lease *lease;
199 uint32_t requested_nip = 0;
200 uint8_t type, *server_id_option, *request_ip_option;
201+ uint16_t packet_len;
202 int re;
203
204 if (condition & (G_IO_NVAL | G_IO_ERR | G_IO_HUP)) {
205@@ -661,12 +662,13 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
206 re = dhcp_recv_l3_packet(&packet, dhcp_server->listener_sockfd);
207 if (re < 0)
208 return TRUE;
209+ packet_len = (uint16_t)(unsigned int)re;
210
211- type = check_packet_type(&packet);
212+ type = check_packet_type(&packet, packet_len);
213 if (type == 0)
214 return TRUE;
215
216- server_id_option = dhcp_get_option(&packet, DHCP_SERVER_ID);
217+ server_id_option = dhcp_get_option(&packet, packet_len, DHCP_SERVER_ID);
218 if (server_id_option) {
219 uint32_t server_nid =
220 get_unaligned((const uint32_t *) server_id_option);
221@@ -675,7 +677,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
222 return TRUE;
223 }
224
225- request_ip_option = dhcp_get_option(&packet, DHCP_REQUESTED_IP);
226+ request_ip_option = dhcp_get_option(&packet, packet_len, DHCP_REQUESTED_IP);
227 if (request_ip_option)
228 requested_nip = get_be32(request_ip_option);
229
230--
2312.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
new file mode 100644
index 0000000000..ce909ec293
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-26676-0002.patch
@@ -0,0 +1,33 @@
1From a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1 Mon Sep 17 00:00:00 2001
2From: Colin Wee <cwee@tesla.com>
3Date: Thu, 28 Jan 2021 19:41:09 +0100
4Subject: [PATCH] gdhcp: Avoid leaking stack data via unitiialized variable
5
6Fixes: CVE-2021-26676
7
8Upstream-Status: Backport
9CVE: CVE-2021-26676
10
11Reference to upstream patch:
12https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=a74524b3e3fad81b0fd1084ffdf9f2ea469cd9b1
13
14Signed-off-by: Catalin Enache <catalin.enache@windriver.com>
15---
16 gdhcp/client.c | 2 +-
17 1 file changed, 1 insertion(+), 1 deletion(-)
18
19diff --git a/gdhcp/client.c b/gdhcp/client.c
20index 6a5613e7..c7b85e58 100644
21--- a/gdhcp/client.c
22+++ b/gdhcp/client.c
23@@ -2270,7 +2270,7 @@ static gboolean listener_event(GIOChannel *channel, GIOCondition condition,
24 {
25 GDHCPClient *dhcp_client = user_data;
26 struct sockaddr_in dst_addr = { 0 };
27- struct dhcp_packet packet;
28+ struct dhcp_packet packet = { 0 };
29 struct dhcpv6_packet *packet6 = NULL;
30 uint8_t *message_type = NULL, *client_id = NULL, *option,
31 *server_id = NULL;
32--
332.17.1
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
new file mode 100644
index 0000000000..770948fb69
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
1From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
2From: Valery Kashcheev <v.kascheev@omp.ru>
3Date: Mon, 7 Jun 2021 18:58:24 +0200
4Subject: dnsproxy: Check the length of buffers before memcpy
5
6Fix using a stack-based buffer overflow attack by checking the length of
7the ptr and uptr buffers.
8
9Fix debug message output.
10
11Fixes: CVE-2021-33833
12
13Upstream-Status: Backport
14https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
15CVE: CVE-2021-33833
16Signed-off-by: Steve Sakoman <steve@sakoman.com>
17
18---
19 src/dnsproxy.c | 20 +++++++++++---------
20 1 file changed, 11 insertions(+), 9 deletions(-)
21
22diff --git a/src/dnsproxy.c b/src/dnsproxy.c
23index de52df5a..38dbdd71 100644
24--- a/src/dnsproxy.c
25+++ b/src/dnsproxy.c
26@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
27 * tmp buffer.
28 */
29
30- debug("pos %d ulen %d left %d name %s", pos, ulen,
31- (int)(uncomp_len - (uptr - uncompressed)), uptr);
32-
33- ulen = strlen(name);
34- if ((uptr + ulen + 1) > uncomp_end) {
35+ ulen = strlen(name) + 1;
36+ if ((uptr + ulen) > uncomp_end)
37 goto out;
38- }
39- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
40+ strncpy(uptr, name, ulen);
41+
42+ debug("pos %d ulen %d left %d name %s", pos, ulen,
43+ (int)(uncomp_end - (uptr + ulen)), uptr);
44
45 uptr += ulen;
46- *uptr++ = '\0';
47
48 ptr += pos;
49
50@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
51 } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
52 dlen = uptr[-2] << 8 | uptr[-1];
53
54- if (ptr + dlen > end) {
55+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
56 debug("data len %d too long", dlen);
57 goto out;
58 }
59@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
60 * refresh interval, retry interval, expiration
61 * limit and minimum ttl). They are 20 bytes long.
62 */
63+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
64+ debug("soa record too long");
65+ goto out;
66+ }
67 memcpy(uptr, ptr, 20);
68 uptr += 20;
69 ptr += 20;
70--
71cgit 1.2.3-1.el7
72
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
new file mode 100644
index 0000000000..7f27474830
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23096-7.patch
@@ -0,0 +1,121 @@
1From e5a313736e13c90d19085e953a26256a198e4950 Mon Sep 17 00:00:00 2001
2From: Daniel Wagner <wagi@monom.org>
3Date: Tue, 25 Jan 2022 10:00:24 +0100
4Subject: dnsproxy: Validate input data before using them
5
6dnsproxy is not validating various input data. Add a bunch of checks.
7
8Fixes: CVE-2022-23097
9Fixes: CVE-2022-23096
10
11Upstream-Status: Backport
12https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=e5a313736e13c90d19085e953a26256a198e4950
13
14CVE: CVE-2022-23096 CVE-2022-23097
15Signed-off-by: Steve Sakoman <steve@sakoman.com>
16
17---
18 src/dnsproxy.c | 31 ++++++++++++++++++++++++++-----
19 1 file changed, 26 insertions(+), 5 deletions(-)
20
21diff --git a/src/dnsproxy.c b/src/dnsproxy.c
22index cdfafbc2..c027bcb9 100644
23--- a/src/dnsproxy.c
24+++ b/src/dnsproxy.c
25@@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
26
27 if (offset < 0)
28 return offset;
29+ if (reply_len < 0)
30+ return -EINVAL;
31+ if (reply_len < offset + 1)
32+ return -EINVAL;
33+ if ((size_t)reply_len < sizeof(struct domain_hdr))
34+ return -EINVAL;
35
36 hdr = (void *)(reply + offset);
37 dns_id = reply[offset] | reply[offset + 1] << 8;
38@@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
39 */
40 if (req->append_domain && ntohs(hdr->qdcount) == 1) {
41 uint16_t domain_len = 0;
42- uint16_t header_len;
43+ uint16_t header_len, payload_len;
44 uint16_t dns_type, dns_class;
45 uint8_t host_len, dns_type_pos;
46 char uncompressed[NS_MAXDNAME], *uptr;
47 char *ptr, *eom = (char *)reply + reply_len;
48+ char *domain;
49
50 /*
51 * ptr points to the first char of the hostname.
52 * ->hostname.domain.net
53 */
54 header_len = offset + sizeof(struct domain_hdr);
55+ if (reply_len < header_len)
56+ return -EINVAL;
57+ payload_len = reply_len - header_len;
58+
59 ptr = (char *)reply + header_len;
60
61 host_len = *ptr;
62+ domain = ptr + 1 + host_len;
63+ if (domain > eom)
64+ return -EINVAL;
65+
66 if (host_len > 0)
67- domain_len = strnlen(ptr + 1 + host_len,
68- reply_len - header_len);
69+ domain_len = strnlen(domain, eom - domain);
70
71 /*
72 * If the query type is anything other than A or AAAA,
73@@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
74 */
75 dns_type_pos = host_len + 1 + domain_len + 1;
76
77+ if (ptr + (dns_type_pos + 3) > eom)
78+ return -EINVAL;
79 dns_type = ptr[dns_type_pos] << 8 |
80 ptr[dns_type_pos + 1];
81 dns_class = ptr[dns_type_pos + 2] << 8 |
82@@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
83 int new_len, fixed_len;
84 char *answers;
85
86+ if (len > payload_len)
87+ return -EINVAL;
88 /*
89 * First copy host (without domain name) into
90 * tmp buffer.
91@@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
92 * Copy type and class fields of the question.
93 */
94 ptr += len + domain_len + 1;
95+ if (ptr + NS_QFIXEDSZ > eom)
96+ return -EINVAL;
97 memcpy(uptr, ptr, NS_QFIXEDSZ);
98
99 /*
100@@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol,
101 uptr += NS_QFIXEDSZ;
102 answers = uptr;
103 fixed_len = answers - uncompressed;
104+ if (ptr + offset > eom)
105+ return -EINVAL;
106
107 /*
108 * We then uncompress the result to buffer
109@@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition,
110
111 len = recv(sk, buf, sizeof(buf), 0);
112
113- if (len >= 12)
114- forward_dns_reply(buf, len, IPPROTO_UDP, data);
115+ forward_dns_reply(buf, len, IPPROTO_UDP, data);
116
117 return TRUE;
118 }
119--
120cgit 1.2.3-1.el7
121
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
new file mode 100644
index 0000000000..a40c9f583f
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-23098.patch
@@ -0,0 +1,50 @@
1From d8708b85c1e8fe25af7803e8a20cf20e7201d8a4 Mon Sep 17 00:00:00 2001
2From: Matthias Gerstner <mgerstner@suse.de>
3Date: Tue, 25 Jan 2022 10:00:25 +0100
4Subject: dnsproxy: Avoid 100 % busy loop in TCP server case
5
6Once the TCP socket is connected and until the remote server is
7responding (if ever) ConnMan executes a 100 % CPU loop, since
8the connected socket will always be writable (G_IO_OUT).
9
10To fix this, modify the watch after the connection is established to
11remove the G_IO_OUT from the callback conditions.
12
13Fixes: CVE-2022-23098
14
15Upstream-Status: Backport
16https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d8708b85c1e8fe25af7803e8a20cf20e7201d8a4
17
18CVE: CVE-2022-23098
19Signed-off-by: Steve Sakoman <steve@sakoman.com>
20
21---
22 src/dnsproxy.c | 12 ++++++++++++
23 1 file changed, 12 insertions(+)
24
25diff --git a/src/dnsproxy.c b/src/dnsproxy.c
26index c027bcb9..1ccf36a9 100644
27--- a/src/dnsproxy.c
28+++ b/src/dnsproxy.c
29@@ -2360,6 +2360,18 @@ hangup:
30 }
31 }
32
33+ /*
34+ * Remove the G_IO_OUT flag from the watch, otherwise we end
35+ * up in a busy loop, because the socket is constantly writable.
36+ *
37+ * There seems to be no better way in g_io to do that than
38+ * re-adding the watch.
39+ */
40+ g_source_remove(server->watch);
41+ server->watch = g_io_add_watch(server->channel,
42+ G_IO_IN | G_IO_HUP | G_IO_NVAL | G_IO_ERR,
43+ tcp_server_event, server);
44+
45 server->connected = true;
46 server_list = g_slist_append(server_list, server);
47
48--
49cgit 1.2.3-1.el7
50
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
new file mode 100644
index 0000000000..74a739d6a2
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch
@@ -0,0 +1,37 @@
1From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001
2From: Nathan Crandall <ncrandall@tesla.com>
3Date: Tue, 12 Jul 2022 08:56:34 +0200
4Subject: gweb: Fix OOB write in received_data()
5
6There is a mismatch of handling binary vs. C-string data with memchr
7and strlen, resulting in pos, count, and bytes_read to become out of
8sync and result in a heap overflow. Instead, do not treat the buffer
9as an ASCII C-string. We calculate the count based on the return value
10of memchr, instead of strlen.
11
12Fixes: CVE-2022-32292
13
14Upstream-Status: Backport
15https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b
16CVE: CVE-2022-32292
17Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
18---
19 gweb/gweb.c | 2 +-
20 1 file changed, 1 insertion(+), 1 deletion(-)
21
22diff --git a/gweb/gweb.c b/gweb/gweb.c
23index 12fcb1d8..13c6c5f2 100644
24--- a/gweb/gweb.c
25+++ b/gweb/gweb.c
26@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond,
27 }
28
29 *pos = '\0';
30- count = strlen((char *) ptr);
31+ count = pos - ptr;
32 if (count > 0 && ptr[count - 1] == '\r') {
33 ptr[--count] = '\0';
34 bytes_read--;
35--
36cgit
37
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
new file mode 100644
index 0000000000..83a013981c
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32293.patch
@@ -0,0 +1,266 @@
1From 358a44b1442fae0f82846e10da0708b5c4e1ce27 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Tue, 20 Sep 2022 17:58:19 +0530
4Subject: [PATCH] CVE-2022-32293
5
6CVE: CVE-2022-32293
7Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=72343929836de80727a27d6744c869dff045757c && https://git.kernel.org/pub/scm/network/connman/connman.git/commit/src/wispr.c?id=416bfaff988882c553c672e5bfc2d4f648d29e8a]
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 src/wispr.c | 83 ++++++++++++++++++++++++++++++++++++++++-------------
11 1 file changed, 63 insertions(+), 20 deletions(-)
12
13diff --git a/src/wispr.c b/src/wispr.c
14index 473c0e0..97e0242 100644
15--- a/src/wispr.c
16+++ b/src/wispr.c
17@@ -59,6 +59,7 @@ struct wispr_route {
18 };
19
20 struct connman_wispr_portal_context {
21+ int refcount;
22 struct connman_service *service;
23 enum connman_ipconfig_type type;
24 struct connman_wispr_portal *wispr_portal;
25@@ -96,10 +97,13 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data);
26
27 static GHashTable *wispr_portal_list = NULL;
28
29+#define wispr_portal_context_ref(wp_context) \
30+ wispr_portal_context_ref_debug(wp_context, __FILE__, __LINE__, __func__)
31+#define wispr_portal_context_unref(wp_context) \
32+ wispr_portal_context_unref_debug(wp_context, __FILE__, __LINE__, __func__)
33+
34 static void connman_wispr_message_init(struct connman_wispr_message *msg)
35 {
36- DBG("");
37-
38 msg->has_error = false;
39 msg->current_element = NULL;
40
41@@ -159,11 +163,6 @@ static void free_wispr_routes(struct connman_wispr_portal_context *wp_context)
42 static void free_connman_wispr_portal_context(
43 struct connman_wispr_portal_context *wp_context)
44 {
45- DBG("context %p", wp_context);
46-
47- if (!wp_context)
48- return;
49-
50 if (wp_context->wispr_portal) {
51 if (wp_context->wispr_portal->ipv4_context == wp_context)
52 wp_context->wispr_portal->ipv4_context = NULL;
53@@ -200,9 +199,38 @@ static void free_connman_wispr_portal_context(
54 g_free(wp_context);
55 }
56
57+static struct connman_wispr_portal_context *
58+wispr_portal_context_ref_debug(struct connman_wispr_portal_context *wp_context,
59+ const char *file, int line, const char *caller)
60+{
61+ DBG("%p ref %d by %s:%d:%s()", wp_context,
62+ wp_context->refcount + 1, file, line, caller);
63+
64+ __sync_fetch_and_add(&wp_context->refcount, 1);
65+
66+ return wp_context;
67+}
68+
69+static void wispr_portal_context_unref_debug(
70+ struct connman_wispr_portal_context *wp_context,
71+ const char *file, int line, const char *caller)
72+{
73+ if (!wp_context)
74+ return;
75+
76+ DBG("%p ref %d by %s:%d:%s()", wp_context,
77+ wp_context->refcount - 1, file, line, caller);
78+
79+ if (__sync_fetch_and_sub(&wp_context->refcount, 1) != 1)
80+ return;
81+
82+ free_connman_wispr_portal_context(wp_context);
83+}
84+
85 static struct connman_wispr_portal_context *create_wispr_portal_context(void)
86 {
87- return g_try_new0(struct connman_wispr_portal_context, 1);
88+ return wispr_portal_context_ref(
89+ g_new0(struct connman_wispr_portal_context, 1));
90 }
91
92 static void free_connman_wispr_portal(gpointer data)
93@@ -214,8 +242,8 @@ static void free_connman_wispr_portal(gpointer data)
94 if (!wispr_portal)
95 return;
96
97- free_connman_wispr_portal_context(wispr_portal->ipv4_context);
98- free_connman_wispr_portal_context(wispr_portal->ipv6_context);
99+ wispr_portal_context_unref(wispr_portal->ipv4_context);
100+ wispr_portal_context_unref(wispr_portal->ipv6_context);
101
102 g_free(wispr_portal);
103 }
104@@ -450,8 +478,6 @@ static void portal_manage_status(GWebResult *result,
105 &str))
106 connman_info("Client-Timezone: %s", str);
107
108- free_connman_wispr_portal_context(wp_context);
109-
110 __connman_service_ipconfig_indicate_state(service,
111 CONNMAN_SERVICE_STATE_ONLINE, type);
112 }
113@@ -509,14 +535,17 @@ static void wispr_portal_request_portal(
114 {
115 DBG("");
116
117+ wispr_portal_context_ref(wp_context);
118 wp_context->request_id = g_web_request_get(wp_context->web,
119 wp_context->status_url,
120 wispr_portal_web_result,
121 wispr_route_request,
122 wp_context);
123
124- if (wp_context->request_id == 0)
125+ if (wp_context->request_id == 0) {
126 wispr_portal_error(wp_context);
127+ wispr_portal_context_unref(wp_context);
128+ }
129 }
130
131 static bool wispr_input(const guint8 **data, gsize *length,
132@@ -562,13 +591,15 @@ static void wispr_portal_browser_reply_cb(struct connman_service *service,
133 return;
134
135 if (!authentication_done) {
136- wispr_portal_error(wp_context);
137 free_wispr_routes(wp_context);
138+ wispr_portal_error(wp_context);
139+ wispr_portal_context_unref(wp_context);
140 return;
141 }
142
143 /* Restarting the test */
144 __connman_service_wispr_start(service, wp_context->type);
145+ wispr_portal_context_unref(wp_context);
146 }
147
148 static void wispr_portal_request_wispr_login(struct connman_service *service,
149@@ -592,7 +623,7 @@ static void wispr_portal_request_wispr_login(struct connman_service *service,
150 return;
151 }
152
153- free_connman_wispr_portal_context(wp_context);
154+ wispr_portal_context_unref(wp_context);
155 return;
156 }
157
158@@ -644,11 +675,13 @@ static bool wispr_manage_message(GWebResult *result,
159
160 wp_context->wispr_result = CONNMAN_WISPR_RESULT_LOGIN;
161
162+ wispr_portal_context_ref(wp_context);
163 if (__connman_agent_request_login_input(wp_context->service,
164 wispr_portal_request_wispr_login,
165- wp_context) != -EINPROGRESS)
166+ wp_context) != -EINPROGRESS) {
167 wispr_portal_error(wp_context);
168- else
169+ wispr_portal_context_unref(wp_context);
170+ } else
171 return true;
172
173 break;
174@@ -697,6 +730,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
175 if (length > 0) {
176 g_web_parser_feed_data(wp_context->wispr_parser,
177 chunk, length);
178+ wispr_portal_context_unref(wp_context);
179 return true;
180 }
181
182@@ -714,6 +748,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
183
184 switch (status) {
185 case 000:
186+ wispr_portal_context_ref(wp_context);
187 __connman_agent_request_browser(wp_context->service,
188 wispr_portal_browser_reply_cb,
189 wp_context->status_url, wp_context);
190@@ -725,11 +760,14 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
191 if (g_web_result_get_header(result, "X-ConnMan-Status",
192 &str)) {
193 portal_manage_status(result, wp_context);
194+ wispr_portal_context_unref(wp_context);
195 return false;
196- } else
197+ } else {
198+ wispr_portal_context_ref(wp_context);
199 __connman_agent_request_browser(wp_context->service,
200 wispr_portal_browser_reply_cb,
201 wp_context->redirect_url, wp_context);
202+ }
203
204 break;
205 case 302:
206@@ -737,6 +775,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
207 !g_web_result_get_header(result, "Location",
208 &redirect)) {
209
210+ wispr_portal_context_ref(wp_context);
211 __connman_agent_request_browser(wp_context->service,
212 wispr_portal_browser_reply_cb,
213 wp_context->status_url, wp_context);
214@@ -747,6 +786,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
215
216 wp_context->redirect_url = g_strdup(redirect);
217
218+ wispr_portal_context_ref(wp_context);
219 wp_context->request_id = g_web_request_get(wp_context->web,
220 redirect, wispr_portal_web_result,
221 wispr_route_request, wp_context);
222@@ -763,6 +803,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
223
224 break;
225 case 505:
226+ wispr_portal_context_ref(wp_context);
227 __connman_agent_request_browser(wp_context->service,
228 wispr_portal_browser_reply_cb,
229 wp_context->status_url, wp_context);
230@@ -775,6 +816,7 @@ static bool wispr_portal_web_result(GWebResult *result, gpointer user_data)
231 wp_context->request_id = 0;
232 done:
233 wp_context->wispr_msg.message_type = -1;
234+ wispr_portal_context_unref(wp_context);
235 return false;
236 }
237
238@@ -809,6 +851,7 @@ static void proxy_callback(const char *proxy, void *user_data)
239 xml_wispr_parser_callback, wp_context);
240
241 wispr_portal_request_portal(wp_context);
242+ wispr_portal_context_unref(wp_context);
243 }
244
245 static gboolean no_proxy_callback(gpointer user_data)
246@@ -903,7 +946,7 @@ static int wispr_portal_detect(struct connman_wispr_portal_context *wp_context)
247
248 if (wp_context->token == 0) {
249 err = -EINVAL;
250- free_connman_wispr_portal_context(wp_context);
251+ wispr_portal_context_unref(wp_context);
252 }
253 } else if (wp_context->timeout == 0) {
254 wp_context->timeout = g_idle_add(no_proxy_callback, wp_context);
255@@ -952,7 +995,7 @@ int __connman_wispr_start(struct connman_service *service,
256
257 /* If there is already an existing context, we wipe it */
258 if (wp_context)
259- free_connman_wispr_portal_context(wp_context);
260+ wispr_portal_context_unref(wp_context);
261
262 wp_context = create_wispr_portal_context();
263 if (!wp_context)
264--
2652.25.1
266
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
new file mode 100644
index 0000000000..ea1601cc04
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
@@ -0,0 +1,54 @@
1From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
2From: Daniel Wagner <wagi@monom.org>
3Date: Tue, 11 Apr 2023 08:12:56 +0200
4Subject: gdhcp: Verify and sanitize packet length first
5
6Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
7CVE: CVE-2023-28488
8Signed-off-by: Ashish Sharma <asharma@mvista.com>
9
10 gdhcp/client.c | 16 +++++++++-------
11 1 file changed, 9 insertions(+), 7 deletions(-)
12
13diff --git a/gdhcp/client.c b/gdhcp/client.c
14index 7efa7e45..82017692 100644
15--- a/gdhcp/client.c
16+++ b/gdhcp/client.c
17@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
18 static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
19 struct sockaddr_in *dst_addr)
20 {
21- int bytes;
22 struct ip_udp_dhcp_packet packet;
23 uint16_t check;
24+ int bytes, tot_len;
25
26 memset(&packet, 0, sizeof(packet));
27
28@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
29 if (bytes < 0)
30 return -1;
31
32- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
33- return -1;
34-
35- if (bytes < ntohs(packet.ip.tot_len))
36+ tot_len = ntohs(packet.ip.tot_len);
37+ if (bytes > tot_len) {
38+ /* ignore any extra garbage bytes */
39+ bytes = tot_len;
40+ } else if (bytes < tot_len) {
41 /* packet is bigger than sizeof(packet), we did partial read */
42 return -1;
43+ }
44
45- /* ignore any extra garbage bytes */
46- bytes = ntohs(packet.ip.tot_len);
47+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
48+ return -1;
49
50 if (!sanity_check(&packet, bytes))
51 return -1;
52--
53cgit
54
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 00852bf0d6..8062a094d3 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -6,6 +6,15 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
6 file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \ 6 file://0001-gweb-fix-segfault-with-musl-v1.1.21.patch \
7 file://connman \ 7 file://connman \
8 file://no-version-scripts.patch \ 8 file://no-version-scripts.patch \
9 file://CVE-2021-26675.patch \
10 file://CVE-2021-26676-0001.patch \
11 file://CVE-2021-26676-0002.patch \
12 file://CVE-2021-33833.patch \
13 file://CVE-2022-23096-7.patch \
14 file://CVE-2022-23098.patch \
15 file://CVE-2022-32292.patch \
16 file://CVE-2022-32293.patch \
17 file://CVE-2023-28488.patch \
9" 18"
10 19
11SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" 20SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-27 17:04:35 +0000