[oe-commits] [openembedded-core] 02/17: connman: Fix for CVE-2017-12865

Wed Aug 23 07:50:41 UTC 2017

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch master
in repository openembedded-core.

commit fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9
Author: Sona Sarmadi <sona.sarmadi at enea.com>
AuthorDate: Mon Aug 21 14:05:34 2017 +0200

    connman: Fix for CVE-2017-12865
    
    dnsproxy: Fix crash on malformed DNS response
    If the response query string is malformed, we might access memory
    pass the end of "name" variable in parse_response().
    
    [YOCTO #11959]
    
    Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 .../connman/connman/CVE-2017-12865.patch           | 87 ++++++++++++++++++++++
 meta/recipes-connectivity/connman/connman_1.34.bb  |  1 +
 2 files changed, 88 insertions(+)

diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 0000000..45f78f1
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissanen at linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ src/dnsproxy.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto)
+ static int get_name(int counter,
+ 		unsigned char *pkt, unsigned char *start, unsigned char *max,
+ 		unsigned char *output, int output_max, int *output_len,
+-		unsigned char **end, char *name, int *name_len)
++		unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+ 	unsigned char *p;
+ 
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+ 
+ 			return get_name(counter + 1, pkt, pkt + offset, max,
+ 					output, output_max, output_len, end,
+-					name, name_len);
++					name, max_name, name_len);
+ 		} else {
+ 			unsigned label_len = *p;
+ 
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+ 			if (*output_len > output_max)
+ 				return -ENOBUFS;
+ 
++			if ((*name_len + 1 + label_len + 1) > max_name)
++				return -ENOBUFS;
++
+ 			/*
+ 			 * We need the original name in order to check
+ 			 * if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+ 			unsigned char *response, unsigned int *response_size,
+ 			uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+ 			unsigned char **end,
+-			char *name)
++			char *name, size_t max_name)
+ {
+ 	struct domain_rr *rr;
+ 	int err, offset;
+ 	int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+ 	err = get_name(0, buf, start, max, response, max_rsp,
+-		&output_len, end, name, &name_len);
++			&output_len, end, name, max_name, &name_len);
+ 	if (err < 0)
+ 		return err;
+ 
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+ 		memset(rsp, 0, sizeof(rsp));
+ 
+ 		ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
+-			type, class, ttl, &rdlen, &next, name);
++			type, class, ttl, &rdlen, &next, name,
++			sizeof(name) - 1);
+ 		if (ret != 0) {
+ 			err = ret;
+ 			goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+ 			 */
+ 			ret = get_name(0, buf, next - rdlen, buf + buflen,
+ 					rsp, rsp_len, &output_len, &end,
+-					name, &name_len);
++					name, sizeof(name) - 1, &name_len);
+ 			if (ret != 0) {
+ 				/* just ignore the error at this point */
+ 				ptr = next;
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb
index 868f940..dc2c688 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://connman \
             file://no-version-scripts.patch \
             file://includes.patch \
+            file://CVE-2017-12865.patch \
             "
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
                              "

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
