1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
From: Valery Kashcheev <v.kascheev@omp.ru>
Date: Mon, 7 Jun 2021 18:58:24 +0200
Subject: dnsproxy: Check the length of buffers before memcpy
Fix using a stack-based buffer overflow attack by checking the length of
the ptr and uptr buffers.
Fix debug message output.
Fixes: CVE-2021-33833
Upstream-Status: Backport
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
CVE: CVE-2021-33833
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
src/dnsproxy.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index de52df5a..38dbdd71 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* tmp buffer.
*/
- debug("pos %d ulen %d left %d name %s", pos, ulen,
- (int)(uncomp_len - (uptr - uncompressed)), uptr);
-
- ulen = strlen(name);
- if ((uptr + ulen + 1) > uncomp_end) {
+ ulen = strlen(name) + 1;
+ if ((uptr + ulen) > uncomp_end)
goto out;
- }
- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+ strncpy(uptr, name, ulen);
+
+ debug("pos %d ulen %d left %d name %s", pos, ulen,
+ (int)(uncomp_end - (uptr + ulen)), uptr);
uptr += ulen;
- *uptr++ = '\0';
ptr += pos;
@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
dlen = uptr[-2] << 8 | uptr[-1];
- if (ptr + dlen > end) {
+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
debug("data len %d too long", dlen);
goto out;
}
@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* refresh interval, retry interval, expiration
* limit and minimum ttl). They are 20 bytes long.
*/
+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
+ debug("soa record too long");
+ goto out;
+ }
memcpy(uptr, ptr, 20);
uptr += 20;
ptr += 20;
--
cgit 1.2.3-1.el7
|
