2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
new file mode 100644
index 0000000000..770948fb69
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
+From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
+From: Valery Kashcheev <v.kascheev@omp.ru>
+Date: Mon, 7 Jun 2021 18:58:24 +0200
+Subject: dnsproxy: Check the length of buffers before memcpy
+Fix using a stack-based buffer overflow attack by checking the length of
+the ptr and uptr buffers.
+Fix debug message output.
+Fixes: CVE-2021-33833
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
+CVE: CVE-2021-33833
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+---
+ src/dnsproxy.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index de52df5a..38dbdd71 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                 * tmp buffer.
+                 */
+ 
+-               debug("pos %d ulen %d left %d name %s", pos, ulen,
+-                       (int)(uncomp_len - (uptr - uncompressed)), uptr);
+-
+-               ulen = strlen(name);
+-               if ((uptr + ulen + 1) > uncomp_end) {
+               ulen = strlen(name) + 1;
+               if ((uptr + ulen) > uncomp_end)
+                        goto out;
+-               }
+-               strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+               strncpy(uptr, name, ulen);
+
+               debug("pos %d ulen %d left %d name %s", pos, ulen,
+                       (int)(uncomp_end - (uptr + ulen)), uptr);
+ 
+                uptr += ulen;
+-               *uptr++ = '\0';
+ 
+                ptr += pos;
+ 
+@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
+                        dlen = uptr[-2] << 8 | uptr[-1];
+ 
+-                       if (ptr + dlen > end) {
+                       if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
+                                debug("data len %d too long", dlen);
+                                goto out;
+                        }
+@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+                         * refresh interval, retry interval, expiration
+                         * limit and minimum ttl). They are 20 bytes long.
+                         */
+                       if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
+                               debug("soa record too long");
+                               goto out;
+                       }
+                        memcpy(uptr, ptr, 20);
+                        uptr += 20;
+                        ptr += 20;
+-- 
+cgit 1.2.3-1.el7
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 096981364f..bdd1e590ec 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -9,6 +9,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
            file://CVE-2021-26675.patch \
            file://CVE-2021-26676-0001.patch \
            file://CVE-2021-26676-0002.patch \
+            file://CVE-2021-33833.patch \
            file://CVE-2022-23096-7.patch \
            file://CVE-2022-23098.patch \
 "

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch new file mode 100644 index 0000000000..770948fb69 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
		1	From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
		2	From: Valery Kashcheev <v.kascheev@omp.ru>
		3	Date: Mon, 7 Jun 2021 18:58:24 +0200
		4	Subject: dnsproxy: Check the length of buffers before memcpy
		5
		6	Fix using a stack-based buffer overflow attack by checking the length of
		7	the ptr and uptr buffers.
		8
		9	Fix debug message output.
		10
		11	Fixes: CVE-2021-33833
		12
		13	Upstream-Status: Backport
		14	https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
		15	CVE: CVE-2021-33833
		16	Signed-off-by: Steve Sakoman <steve@sakoman.com>
		17
		18	---
		19	src/dnsproxy.c \| 20 +++++++++++---------
		20	1 file changed, 11 insertions(+), 9 deletions(-)
		21
		22	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
		23	index de52df5a..38dbdd71 100644
		24	--- a/src/dnsproxy.c
		25	+++ b/src/dnsproxy.c
		26	@@ -1788,17 +1788,15 @@ static char uncompress(int16_t field_count, char start, char *end,
		27	* tmp buffer.
		28	*/
		29
		30	- debug("pos %d ulen %d left %d name %s", pos, ulen,
		31	- (int)(uncomp_len - (uptr - uncompressed)), uptr);
		32	-
		33	- ulen = strlen(name);
		34	- if ((uptr + ulen + 1) > uncomp_end) {
		35	+ ulen = strlen(name) + 1;
		36	+ if ((uptr + ulen) > uncomp_end)
		37	goto out;
		38	- }
		39	- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
		40	+ strncpy(uptr, name, ulen);
		41	+
		42	+ debug("pos %d ulen %d left %d name %s", pos, ulen,
		43	+ (int)(uncomp_end - (uptr + ulen)), uptr);
		44
		45	uptr += ulen;
		46	- *uptr++ = '\0';
		47
		48	ptr += pos;
		49
		50	@@ -1841,7 +1839,7 @@ static char uncompress(int16_t field_count, char start, char *end,
		51	} else if (dns_type == ns_t_a \|\| dns_type == ns_t_aaaa) {
		52	dlen = uptr[-2] << 8 \| uptr[-1];
		53
		54	- if (ptr + dlen > end) {
		55	+ if ((ptr + dlen) > end \|\| (uptr + dlen) > uncomp_end) {
		56	debug("data len %d too long", dlen);
		57	goto out;
		58	}
		59	@@ -1880,6 +1878,10 @@ static char uncompress(int16_t field_count, char start, char *end,
		60	* refresh interval, retry interval, expiration
		61	* limit and minimum ttl). They are 20 bytes long.
		62	*/
		63	+ if ((uptr + 20) > uncomp_end \|\| (ptr + 20) > end) {
		64	+ debug("soa record too long");
		65	+ goto out;
		66	+ }
		67	memcpy(uptr, ptr, 20);
		68	uptr += 20;
		69	ptr += 20;
		70	--
		71	cgit 1.2.3-1.el7
		72


diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index 096981364f..bdd1e590ec 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -9,6 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
9	file://CVE-2021-26675.patch \	9	file://CVE-2021-26675.patch \
10	file://CVE-2021-26676-0001.patch \	10	file://CVE-2021-26676-0001.patch \
11	file://CVE-2021-26676-0002.patch \	11	file://CVE-2021-26676-0002.patch \
		12	file://CVE-2021-33833.patch \
12	file://CVE-2022-23096-7.patch \	13	file://CVE-2022-23096-7.patch \
13	file://CVE-2022-23098.patch \	14	file://CVE-2022-23098.patch \
14	"	15	"