package/connman: fix CVE-2025-32366
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
than the amount of remaining packet data in the current state of
parsing. As a result, values of stack memory locations may be sent
over the network in a response.
Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32366
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit a8cfe9986c)
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
This commit is contained in:
Dario Binacchi
committed by
Thomas Perale
Thomas Perale
parent
d953365412
commit
6efa33dac1
@@ -0,0 +1,41 @@
|
||||
From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?=EC=8B=A0=EC=9C=A4=EC=A0=9C=28=ED=95=99=EB=B6=80=EC=83=9D-?=
|
||||
=?UTF-8?q?=EC=86=8C=ED=94=84=ED=8A=B8=EC=9B=A8=EC=96=B4=EC=A0=84=EA=B3=B5?=
|
||||
=?UTF-8?q?=29?= <ioerts@kookmin.ac.kr>
|
||||
Date: Mon, 12 May 2025 10:48:18 +0200
|
||||
Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
|
||||
|
||||
In Connman parse_rr in dnsproxy.c has a memcpy length
|
||||
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
|
||||
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
|
||||
than the amount of remaining packet data in the current state of
|
||||
parsing. As a result, values of stack memory locations may be sent
|
||||
over the network in a response.
|
||||
|
||||
This patch adds a check to ensure that (*end + *rdlen) does not exceed
|
||||
the valid range. If the condition is violated, the function returns
|
||||
-EINVAL.
|
||||
|
||||
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
|
||||
Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
|
||||
---
|
||||
src/dnsproxy.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
|
||||
index 7ee26d9ff886..1dd2f7f5d47e 100644
|
||||
--- a/src/dnsproxy.c
|
||||
+++ b/src/dnsproxy.c
|
||||
@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
|
||||
if ((offset + *rdlen) > *response_size)
|
||||
return -ENOBUFS;
|
||||
|
||||
+ if ((*end + *rdlen) > max)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
memcpy(response + offset, *end, *rdlen);
|
||||
|
||||
*end += *rdlen;
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@@ -16,6 +16,9 @@ CONNMAN_CPE_ID_VENDOR = intel
|
||||
# 0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
|
||||
CONNMAN_IGNORE_CVES += CVE-2025-32743
|
||||
|
||||
# 0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
|
||||
CONNMAN_IGNORE_CVES += CVE-2025-32366
|
||||
|
||||
CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
|
||||
|
||||
ifeq ($(BR2_INIT_SYSTEMD),y)
|
||||
|
||||
Reference in New Issue
Block a user