connman: Fix CVE-2025-32743

In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32743 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f (From OE-Core rev: 610056dccc7144a70bcf69aec720b44bc7de7557) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Praveen Kumar <praveen.kumar@windriver.com> 2025-05-07 06:48:23 +0000
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-05-12 22:01:55 +0100
commit: 534f92cb0a0d4a3cbf73c42488f4a5a4c8e8791c (patch)
tree: 339d42879023cd2fb7d16bc5c7291fafda876840
parent: a48e6883611c07d5ab5e69517c9d562902c57888 (diff)
download: poky-534f92cb0a0d4a3cbf73c42488f4a5a4c8e8791c.tar.gz
2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
new file mode 100644
index 0000000000..c114589679
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+Fixes: CVE-2025-32743
+CVE: CVE-2025-32743
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d7..7ee26d9 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+                                gpointer request, gpointer name)
+ {
+        int sk = -1;
+       int err;
+        const char *lookup = (const char *)name;
+-       int err = ns_try_resolv_from_cache(req, request, lookup);
+
+       if (!lookup || strlen(lookup) == 0)
+               return -EINVAL;
+
+       err = ns_try_resolv_from_cache(req, request, lookup);
+        if (err > 0)
+                /* cache hit */
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.44.bb
index 00e69182d7..b25a435577 100644
--- a/meta/recipes-connectivity/connman/connman_1.44.bb
+++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -21,6 +21,7 @@ DEPENDS  = "dbus glib-2.0"
 SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
           file://connman \
           file://0002-resolve-musl-does-not-implement-res_ninit.patch \
+           file://CVE-2025-32743.patch \
           "
 SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"
author	Praveen Kumar <praveen.kumar@windriver.com>	2025-05-07 06:48:23 +0000
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2025-05-12 22:01:55 +0100
commit	534f92cb0a0d4a3cbf73c42488f4a5a4c8e8791c (patch)
tree	339d42879023cd2fb7d16bc5c7291fafda876840
parent	a48e6883611c07d5ab5e69517c9d562902c57888 (diff)
download	poky-534f92cb0a0d4a3cbf73c42488f4a5a4c8e8791c.tar.gz

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch new file mode 100644 index 0000000000..c114589679 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch
@@ -0,0 +1,48 @@
		1	From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
		2	From: Praveen Kumar <praveen.kumar@windriver.com>
		3	Date: Thu, 24 Apr 2025 11:39:29 +0000
		4	Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
		5
		6	In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
		7	can be NULL or an empty string when the TC (Truncated) bit is set in
		8	a DNS response. This allows attackers to cause a denial of service
		9	(application crash) or possibly execute arbitrary code, because those
		10	lookup values lead to incorrect length calculations and incorrect
		11	memcpy operations.
		12
		13	This patch includes a check to make sure loookup value is valid before
		14	using it. This helps avoid unexpected value when the input is empty or
		15	incorrect.
		16
		17	Fixes: CVE-2025-32743
		18
		19	CVE: CVE-2025-32743
		20
		21	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
		22
		23	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		24	---
		25	src/dnsproxy.c \| 7 ++++++-
		26	1 file changed, 6 insertions(+), 1 deletion(-)
		27
		28	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
		29	index f28a5d7..7ee26d9 100644
		30	--- a/src/dnsproxy.c
		31	+++ b/src/dnsproxy.c
		32	@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data server, struct request_data req,
		33	gpointer request, gpointer name)
		34	{
		35	int sk = -1;
		36	+ int err;
		37	const char lookup = (const char )name;
		38	- int err = ns_try_resolv_from_cache(req, request, lookup);
		39	+
		40	+ if (!lookup \|\| strlen(lookup) == 0)
		41	+ return -EINVAL;
		42	+
		43	+ err = ns_try_resolv_from_cache(req, request, lookup);
		44
		45	if (err > 0)
		46	/* cache hit */
		47	--
		48	2.40.0


diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.44.bb index 00e69182d7..b25a435577 100644 --- a/meta/recipes-connectivity/connman/connman_1.44.bb +++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -21,6 +21,7 @@ DEPENDS = "dbus glib-2.0"
21	SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \	21	SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
22	file://connman \	22	file://connman \
23	file://0002-resolve-musl-does-not-implement-res_ninit.patch \	23	file://0002-resolve-musl-does-not-implement-res_ninit.patch \
		24	file://CVE-2025-32743.patch \
24	"	25	"
25		26
26	SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"	27	SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"