2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
new file mode 100644
index 0000000000..62f07e707a
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+CVE: CVE-2025-32366
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9..1dd2f7f 100644
+--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+        if ((offset + *rdlen) > *response_size)
+                return -ENOBUFS;
+       if ((*end + *rdlen) > max)
+               return -EINVAL;
+
+        memcpy(response + offset, *end, *rdlen);
+        *end += *rdlen;
+--
+2.40.0
diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.44.bb
index b25a435577..02c5be929e 100644
--- a/meta/recipes-connectivity/connman/connman_1.44.bb
+++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -22,6 +22,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
           file://connman \
           file://0002-resolve-musl-does-not-implement-res_ninit.patch \
           file://CVE-2025-32743.patch \
+           file://CVE-2025-32366.patch \
           "
 SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch new file mode 100644 index 0000000000..62f07e707a --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch
@@ -0,0 +1,41 @@
		1	From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
		2	From: Yoonje Shin <ioerts@kookmin.ac.kr>
		3	Date: Mon, 12 May 2025 10:48:18 +0200
		4	Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
		5
		6	In Connman parse_rr in dnsproxy.c has a memcpy length
		7	that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
		8	and memcpy(response+offset,end,rdlen)). Here, rdlen may be larger
		9	than the amount of remaining packet data in the current state of
		10	parsing. As a result, values of stack memory locations may be sent
		11	over the network in a response.
		12
		13	This patch adds a check to ensure that (end + rdlen) does not exceed
		14	the valid range. If the condition is violated, the function returns
		15	-EINVAL.
		16
		17	CVE: CVE-2025-32366
		18
		19	Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
		20
		21	Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
		22	---
		23	src/dnsproxy.c \| 3 +++
		24	1 file changed, 3 insertions(+)
		25
		26	diff --git a/src/dnsproxy.c b/src/dnsproxy.c
		27	index 7ee26d9..1dd2f7f 100644
		28	--- a/src/dnsproxy.c
		29	+++ b/src/dnsproxy.c
		30	@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char buf, const unsigned char start,
		31	if ((offset + rdlen) > response_size)
		32	return -ENOBUFS;
		33
		34	+ if ((end + rdlen) > max)
		35	+ return -EINVAL;
		36	+
		37	memcpy(response + offset, end, rdlen);
		38
		39	end += rdlen;
		40	--
		41	2.40.0


diff --git a/meta/recipes-connectivity/connman/connman_1.44.bb b/meta/recipes-connectivity/connman/connman_1.44.bb index b25a435577..02c5be929e 100644 --- a/meta/recipes-connectivity/connman/connman_1.44.bb +++ b/meta/recipes-connectivity/connman/connman_1.44.bb
@@ -22,6 +22,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
22	file://connman \	22	file://connman \
23	file://0002-resolve-musl-does-not-implement-res_ninit.patch \	23	file://0002-resolve-musl-does-not-implement-res_ninit.patch \
24	file://CVE-2025-32743.patch \	24	file://CVE-2025-32743.patch \
		25	file://CVE-2025-32366.patch \
25	"	26	"
26		27
27	SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"	28	SRC_URI[sha256sum] = "2be2b00321632b775f9eff713acd04ef21e31fbf388f6ebf45512ff4289574ff"