From dee8fc6a9757752ea58466a8ec5eaf25275928dc Mon Sep 17 00:00:00 2001 From: Alexander Kanavin Date: Wed, 6 Sep 2023 18:56:19 +0200 Subject: connman: update 1.41 -> 1.42 Drop backports. 0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch is partially dropped, as upstream hasn't included the newly added header into the tarball (issue addressed after the release). (From OE-Core rev: eeb686876dc560b5f0fab6f37a2def3d78bb55db) Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie --- ...p-Verify-and-sanitize-packet-length-first.patch | 63 ---------------------- 1 file changed, 63 deletions(-) delete mode 100644 meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch (limited to 'meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch') diff --git a/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch b/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch deleted file mode 100644 index 8e2f47a1d5..0000000000 --- a/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 -From: Daniel Wagner -Date: Tue, 11 Apr 2023 08:12:56 +0200 -Subject: [PATCH] gdhcp: Verify and sanitize packet length first - -Avoid overwriting the read packet length after the initial test. Thus -move all the length checks which depends on the total length first -and do not use the total lenght from the IP packet afterwards. - -Fixes CVE-2023-28488 - -Reported by Polina Smirnova - -CVE: CVE-2023-28488 -Upstream-Status: Backport -Signed-off-by: Ross Burton - ---- - gdhcp/client.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/gdhcp/client.c b/gdhcp/client.c -index 7efa7e45..82017692 100644 ---- a/gdhcp/client.c -+++ b/gdhcp/client.c -@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) - static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, - struct sockaddr_in *dst_addr) - { -- int bytes; - struct ip_udp_dhcp_packet packet; - uint16_t check; -+ int bytes, tot_len; - - memset(&packet, 0, sizeof(packet)); - -@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, - if (bytes < 0) - return -1; - -- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) -- return -1; -- -- if (bytes < ntohs(packet.ip.tot_len)) -+ tot_len = ntohs(packet.ip.tot_len); -+ if (bytes > tot_len) { -+ /* ignore any extra garbage bytes */ -+ bytes = tot_len; -+ } else if (bytes < tot_len) { - /* packet is bigger than sizeof(packet), we did partial read */ - return -1; -+ } - -- /* ignore any extra garbage bytes */ -- bytes = ntohs(packet.ip.tot_len); -+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) -+ return -1; - - if (!sanity_check(&packet, bytes)) - return -1; --- -2.34.1 - -- cgit v1.2.3-54-g00ecf