|
|
@@ -0,0 +1,41 @@
|
|
|
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
|
|
|
+From: Yoonje Shin <ioerts@kookmin.ac.kr>
|
|
|
+Date: Mon, 12 May 2025 10:48:18 +0200
|
|
|
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
|
|
|
+
|
|
|
+In Connman parse_rr in dnsproxy.c has a memcpy length
|
|
|
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
|
|
|
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
|
|
|
+than the amount of remaining packet data in the current state of
|
|
|
+parsing. As a result, values of stack memory locations may be sent
|
|
|
+over the network in a response.
|
|
|
+
|
|
|
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
|
|
|
+the valid range. If the condition is violated, the function returns
|
|
|
+-EINVAL.
|
|
|
+
|
|
|
+CVE: CVE-2025-32366
|
|
|
+
|
|
|
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]
|
|
|
+
|
|
|
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
|
|
|
+---
|
|
|
+ src/dnsproxy.c | 3 +++
|
|
|
+ 1 file changed, 3 insertions(+)
|
|
|
+
|
|
|
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
|
|
|
+index 334dd00..74aed50 100644
|
|
|
+--- a/src/dnsproxy.c
|
|
|
++++ b/src/dnsproxy.c
|
|
|
+@@ -950,6 +950,9 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
|
|
|
+ if ((unsigned int) (offset + *rdlen) > *response_size)
|
|
|
+ return -ENOBUFS;
|
|
|
+
|
|
|
++ if ((*end + *rdlen) > max)
|
|
|
++ return -EINVAL;
|
|
|
++
|
|
|
+ memcpy(response + offset, *end, *rdlen);
|
|
|
+
|
|
|
+ *end += *rdlen;
|
|
|
+--
|
|
|
+2.40.0
|
Praveen Kumar