ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA).
Backport patch from: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c CVE: CVE-2021-33833 Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../connman/connman/CVE-2021-33833.patch | 72 +++++++++++++++++++ .../connman/connman_1.37.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch new file mode 100644 index 0000000000..770948fb69 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch @@ -0,0 +1,72 @@ +From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 +From: Valery Kashcheev <v.kasch...@omp.ru> +Date: Mon, 7 Jun 2021 18:58:24 +0200 +Subject: dnsproxy: Check the length of buffers before memcpy + +Fix using a stack-based buffer overflow attack by checking the length of +the ptr and uptr buffers. + +Fix debug message output. + +Fixes: CVE-2021-33833 + +Upstream-Status: Backport +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c +CVE: CVE-2021-33833 +Signed-off-by: Steve Sakoman <st...@sakoman.com> + +--- + src/dnsproxy.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index de52df5a..38dbdd71 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, + * tmp buffer. + */ + +- debug("pos %d ulen %d left %d name %s", pos, ulen, +- (int)(uncomp_len - (uptr - uncompressed)), uptr); +- +- ulen = strlen(name); +- if ((uptr + ulen + 1) > uncomp_end) { ++ ulen = strlen(name) + 1; ++ if ((uptr + ulen) > uncomp_end) + goto out; +- } +- strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); ++ strncpy(uptr, name, ulen); ++ ++ debug("pos %d ulen %d left %d name %s", pos, ulen, ++ (int)(uncomp_end - (uptr + ulen)), uptr); + + uptr += ulen; +- *uptr++ = '\0'; + + ptr += pos; + +@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, + } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { + dlen = uptr[-2] << 8 | uptr[-1]; + +- if (ptr + dlen > end) { ++ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { + debug("data len %d too long", dlen); + goto out; + } +@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, + * refresh interval, retry interval, expiration + * limit and minimum ttl). They are 20 bytes long. + */ ++ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { ++ debug("soa record too long"); ++ goto out; ++ } + memcpy(uptr, ptr, 20); + uptr += 20; + ptr += 20; +-- +cgit 1.2.3-1.el7 + diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index 096981364f..bdd1e590ec 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb @@ -9,6 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2021-26675.patch \ file://CVE-2021-26676-0001.patch \ file://CVE-2021-26676-0002.patch \ + file://CVE-2021-33833.patch \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ " -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#162032): https://lists.openembedded.org/g/openembedded-core/message/162032 Mute This Topic: https://lists.openembedded.org/mt/89294075/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
