summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r--meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch72
-rw-r--r--meta/recipes-connectivity/connman/connman_1.37.bb1
2 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
new file mode 100644
index 0000000000..770948fb69
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch
@@ -0,0 +1,72 @@
1From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
2From: Valery Kashcheev <v.kascheev@omp.ru>
3Date: Mon, 7 Jun 2021 18:58:24 +0200
4Subject: dnsproxy: Check the length of buffers before memcpy
5
6Fix using a stack-based buffer overflow attack by checking the length of
7the ptr and uptr buffers.
8
9Fix debug message output.
10
11Fixes: CVE-2021-33833
12
13Upstream-Status: Backport
14https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
15CVE: CVE-2021-33833
16Signed-off-by: Steve Sakoman <steve@sakoman.com>
17
18---
19 src/dnsproxy.c | 20 +++++++++++---------
20 1 file changed, 11 insertions(+), 9 deletions(-)
21
22diff --git a/src/dnsproxy.c b/src/dnsproxy.c
23index de52df5a..38dbdd71 100644
24--- a/src/dnsproxy.c
25+++ b/src/dnsproxy.c
26@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
27 * tmp buffer.
28 */
29
30- debug("pos %d ulen %d left %d name %s", pos, ulen,
31- (int)(uncomp_len - (uptr - uncompressed)), uptr);
32-
33- ulen = strlen(name);
34- if ((uptr + ulen + 1) > uncomp_end) {
35+ ulen = strlen(name) + 1;
36+ if ((uptr + ulen) > uncomp_end)
37 goto out;
38- }
39- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
40+ strncpy(uptr, name, ulen);
41+
42+ debug("pos %d ulen %d left %d name %s", pos, ulen,
43+ (int)(uncomp_end - (uptr + ulen)), uptr);
44
45 uptr += ulen;
46- *uptr++ = '\0';
47
48 ptr += pos;
49
50@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
51 } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
52 dlen = uptr[-2] << 8 | uptr[-1];
53
54- if (ptr + dlen > end) {
55+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
56 debug("data len %d too long", dlen);
57 goto out;
58 }
59@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
60 * refresh interval, retry interval, expiration
61 * limit and minimum ttl). They are 20 bytes long.
62 */
63+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
64+ debug("soa record too long");
65+ goto out;
66+ }
67 memcpy(uptr, ptr, 20);
68 uptr += 20;
69 ptr += 20;
70--
71cgit 1.2.3-1.el7
72
diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb
index 096981364f..bdd1e590ec 100644
--- a/meta/recipes-connectivity/connman/connman_1.37.bb
+++ b/meta/recipes-connectivity/connman/connman_1.37.bb
@@ -9,6 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
9 file://CVE-2021-26675.patch \ 9 file://CVE-2021-26675.patch \
10 file://CVE-2021-26676-0001.patch \ 10 file://CVE-2021-26676-0001.patch \
11 file://CVE-2021-26676-0002.patch \ 11 file://CVE-2021-26676-0002.patch \
12 file://CVE-2021-33833.patch \
12 file://CVE-2022-23096-7.patch \ 13 file://CVE-2022-23096-7.patch \
13 file://CVE-2022-23098.patch \ 14 file://CVE-2022-23098.patch \
14" 15"