diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2017-08-21 14:05:34 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-23 08:47:02 +0100 |
| commit | 9086b525dd00f482ea68a384540cd30778413c9e (patch) | |
| tree | 964deda3c0af8372664406c9ce0929b33bc6f9eb | |
| parent | c55b3706124ef0298be3697a4dcf1fc121f45d75 (diff) | |
| download | poky-9086b525dd00f482ea68a384540cd30778413c9e.tar.gz | |
connman: Fix for CVE-2017-12865
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
(From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch | 87 | ||||
| -rw-r--r-- | meta/recipes-connectivity/connman/connman_1.34.bb | 1 |
2 files changed, 88 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch new file mode 100644 index 0000000000..45f78f10ea --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch | |||
| @@ -0,0 +1,87 @@ | |||
| 1 | From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Jukka Rissanen <jukka.rissanen@linux.intel.com> | ||
| 3 | Date: Wed, 9 Aug 2017 10:16:46 +0300 | ||
| 4 | Subject: dnsproxy: Fix crash on malformed DNS response | ||
| 5 | |||
| 6 | If the response query string is malformed, we might access memory | ||
| 7 | pass the end of "name" variable in parse_response(). | ||
| 8 | |||
| 9 | CVE: CVE-2017-12865 | ||
| 10 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71] | ||
| 11 | |||
| 12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 13 | --- | ||
| 14 | src/dnsproxy.c | 16 ++++++++++------ | ||
| 15 | 1 file changed, 10 insertions(+), 6 deletions(-) | ||
| 16 | |||
| 17 | diff --git a/src/dnsproxy.c b/src/dnsproxy.c | ||
| 18 | index 38ac5bf..40b4f15 100644 | ||
| 19 | --- a/src/dnsproxy.c | ||
| 20 | +++ b/src/dnsproxy.c | ||
| 21 | @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto) | ||
| 22 | static int get_name(int counter, | ||
| 23 | unsigned char *pkt, unsigned char *start, unsigned char *max, | ||
| 24 | unsigned char *output, int output_max, int *output_len, | ||
| 25 | - unsigned char **end, char *name, int *name_len) | ||
| 26 | + unsigned char **end, char *name, size_t max_name, int *name_len) | ||
| 27 | { | ||
| 28 | unsigned char *p; | ||
| 29 | |||
| 30 | @@ -859,7 +859,7 @@ static int get_name(int counter, | ||
| 31 | |||
| 32 | return get_name(counter + 1, pkt, pkt + offset, max, | ||
| 33 | output, output_max, output_len, end, | ||
| 34 | - name, name_len); | ||
| 35 | + name, max_name, name_len); | ||
| 36 | } else { | ||
| 37 | unsigned label_len = *p; | ||
| 38 | |||
| 39 | @@ -869,6 +869,9 @@ static int get_name(int counter, | ||
| 40 | if (*output_len > output_max) | ||
| 41 | return -ENOBUFS; | ||
| 42 | |||
| 43 | + if ((*name_len + 1 + label_len + 1) > max_name) | ||
| 44 | + return -ENOBUFS; | ||
| 45 | + | ||
| 46 | /* | ||
| 47 | * We need the original name in order to check | ||
| 48 | * if this answer is the correct one. | ||
| 49 | @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start, | ||
| 50 | unsigned char *response, unsigned int *response_size, | ||
| 51 | uint16_t *type, uint16_t *class, int *ttl, int *rdlen, | ||
| 52 | unsigned char **end, | ||
| 53 | - char *name) | ||
| 54 | + char *name, size_t max_name) | ||
| 55 | { | ||
| 56 | struct domain_rr *rr; | ||
| 57 | int err, offset; | ||
| 58 | int name_len = 0, output_len = 0, max_rsp = *response_size; | ||
| 59 | |||
| 60 | err = get_name(0, buf, start, max, response, max_rsp, | ||
| 61 | - &output_len, end, name, &name_len); | ||
| 62 | + &output_len, end, name, max_name, &name_len); | ||
| 63 | if (err < 0) | ||
| 64 | return err; | ||
| 65 | |||
| 66 | @@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen, | ||
| 67 | memset(rsp, 0, sizeof(rsp)); | ||
| 68 | |||
| 69 | ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len, | ||
| 70 | - type, class, ttl, &rdlen, &next, name); | ||
| 71 | + type, class, ttl, &rdlen, &next, name, | ||
| 72 | + sizeof(name) - 1); | ||
| 73 | if (ret != 0) { | ||
| 74 | err = ret; | ||
| 75 | goto out; | ||
| 76 | @@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen, | ||
| 77 | */ | ||
| 78 | ret = get_name(0, buf, next - rdlen, buf + buflen, | ||
| 79 | rsp, rsp_len, &output_len, &end, | ||
| 80 | - name, &name_len); | ||
| 81 | + name, sizeof(name) - 1, &name_len); | ||
| 82 | if (ret != 0) { | ||
| 83 | /* just ignore the error at this point */ | ||
| 84 | ptr = next; | ||
| 85 | -- | ||
| 86 | cgit v1.1 | ||
| 87 | |||
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb index 868f940e1d..dc2c688f49 100644 --- a/meta/recipes-connectivity/connman/connman_1.34.bb +++ b/meta/recipes-connectivity/connman/connman_1.34.bb | |||
| @@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ | |||
| 7 | file://connman \ | 7 | file://connman \ |
| 8 | file://no-version-scripts.patch \ | 8 | file://no-version-scripts.patch \ |
| 9 | file://includes.patch \ | 9 | file://includes.patch \ |
| 10 | file://CVE-2017-12865.patch \ | ||
| 10 | " | 11 | " |
| 11 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \ | 12 | SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \ |
| 12 | " | 13 | " |