* [PATCH] connman: Fix for CVE-2017-12865
@ 2017-08-21 12:05 Sona Sarmadi
2017-08-29 16:25 ` Burton, Ross
0 siblings, 1 reply; 2+ messages in thread
From: Sona Sarmadi @ 2017-08-21 12:05 UTC (permalink / raw)
To: openembedded-core
dnsproxy: Fix crash on malformed DNS response
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
[YOCTO #11959]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
.../connman/connman/CVE-2017-12865.patch | 87 ++++++++++++++++++++++
meta/recipes-connectivity/connman/connman_1.34.bb | 1 +
2 files changed, 88 insertions(+)
create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 0000000..45f78f1
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ src/dnsproxy.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto)
+ static int get_name(int counter,
+ unsigned char *pkt, unsigned char *start, unsigned char *max,
+ unsigned char *output, int output_max, int *output_len,
+- unsigned char **end, char *name, int *name_len)
++ unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+ unsigned char *p;
+
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+
+ return get_name(counter + 1, pkt, pkt + offset, max,
+ output, output_max, output_len, end,
+- name, name_len);
++ name, max_name, name_len);
+ } else {
+ unsigned label_len = *p;
+
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+ if (*output_len > output_max)
+ return -ENOBUFS;
+
++ if ((*name_len + 1 + label_len + 1) > max_name)
++ return -ENOBUFS;
++
+ /*
+ * We need the original name in order to check
+ * if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+ unsigned char *response, unsigned int *response_size,
+ uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+ unsigned char **end,
+- char *name)
++ char *name, size_t max_name)
+ {
+ struct domain_rr *rr;
+ int err, offset;
+ int name_len = 0, output_len = 0, max_rsp = *response_size;
+
+ err = get_name(0, buf, start, max, response, max_rsp,
+- &output_len, end, name, &name_len);
++ &output_len, end, name, max_name, &name_len);
+ if (err < 0)
+ return err;
+
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+ memset(rsp, 0, sizeof(rsp));
+
+ ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
+- type, class, ttl, &rdlen, &next, name);
++ type, class, ttl, &rdlen, &next, name,
++ sizeof(name) - 1);
+ if (ret != 0) {
+ err = ret;
+ goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+ */
+ ret = get_name(0, buf, next - rdlen, buf + buflen,
+ rsp, rsp_len, &output_len, &end,
+- name, &name_len);
++ name, sizeof(name) - 1, &name_len);
+ if (ret != 0) {
+ /* just ignore the error at this point */
+ ptr = next;
+--
+cgit v1.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb
index 868f940..dc2c688 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://connman \
file://no-version-scripts.patch \
file://includes.patch \
+ file://CVE-2017-12865.patch \
"
SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
"
--
1.9.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] connman: Fix for CVE-2017-12865
2017-08-21 12:05 [PATCH] connman: Fix for CVE-2017-12865 Sona Sarmadi
@ 2017-08-29 16:25 ` Burton, Ross
0 siblings, 0 replies; 2+ messages in thread
From: Burton, Ross @ 2017-08-29 16:25 UTC (permalink / raw)
To: Sona Sarmadi; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 6086 bytes --]
This is now in master, will you also submit backports for the stable
branches?
Ross
On 21 August 2017 at 13:05, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
> dnsproxy: Fix crash on malformed DNS response
> If the response query string is malformed, we might access memory
> pass the end of "name" variable in parse_response().
>
> [YOCTO #11959]
>
> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> ---
> .../connman/connman/CVE-2017-12865.patch | 87
> ++++++++++++++++++++++
> meta/recipes-connectivity/connman/connman_1.34.bb | 1 +
> 2 files changed, 88 insertions(+)
> create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2017-
> 12865.patch
>
> diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
> b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
> new file mode 100644
> index 0000000..45f78f1
> --- /dev/null
> +++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
> @@ -0,0 +1,87 @@
> +From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
> +From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
> +Date: Wed, 9 Aug 2017 10:16:46 +0300
> +Subject: dnsproxy: Fix crash on malformed DNS response
> +
> +If the response query string is malformed, we might access memory
> +pass the end of "name" variable in parse_response().
> +
> +CVE: CVE-2017-12865
> +Upstream-Status: Backport [https://git.kernel.org/pub/
> scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f324
> 67f8f67b71]
> +
> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
> +---
> + src/dnsproxy.c | 16 ++++++++++------
> + 1 file changed, 10 insertions(+), 6 deletions(-)
> +
> +diff --git a/src/dnsproxy.c b/src/dnsproxy.c
> +index 38ac5bf..40b4f15 100644
> +--- a/src/dnsproxy.c
> ++++ b/src/dnsproxy.c
> +@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer
> request, int *qtype, int proto)
> + static int get_name(int counter,
> + unsigned char *pkt, unsigned char *start, unsigned char
> *max,
> + unsigned char *output, int output_max, int *output_len,
> +- unsigned char **end, char *name, int *name_len)
> ++ unsigned char **end, char *name, size_t max_name, int
> *name_len)
> + {
> + unsigned char *p;
> +
> +@@ -859,7 +859,7 @@ static int get_name(int counter,
> +
> + return get_name(counter + 1, pkt, pkt + offset,
> max,
> + output, output_max, output_len,
> end,
> +- name, name_len);
> ++ name, max_name, name_len);
> + } else {
> + unsigned label_len = *p;
> +
> +@@ -869,6 +869,9 @@ static int get_name(int counter,
> + if (*output_len > output_max)
> + return -ENOBUFS;
> +
> ++ if ((*name_len + 1 + label_len + 1) > max_name)
> ++ return -ENOBUFS;
> ++
> + /*
> + * We need the original name in order to check
> + * if this answer is the correct one.
> +@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned
> char *start,
> + unsigned char *response, unsigned int
> *response_size,
> + uint16_t *type, uint16_t *class, int *ttl, int
> *rdlen,
> + unsigned char **end,
> +- char *name)
> ++ char *name, size_t max_name)
> + {
> + struct domain_rr *rr;
> + int err, offset;
> + int name_len = 0, output_len = 0, max_rsp = *response_size;
> +
> + err = get_name(0, buf, start, max, response, max_rsp,
> +- &output_len, end, name, &name_len);
> ++ &output_len, end, name, max_name, &name_len);
> + if (err < 0)
> + return err;
> +
> +@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int
> buflen,
> + memset(rsp, 0, sizeof(rsp));
> +
> + ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
> +- type, class, ttl, &rdlen, &next, name);
> ++ type, class, ttl, &rdlen, &next, name,
> ++ sizeof(name) - 1);
> + if (ret != 0) {
> + err = ret;
> + goto out;
> +@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int
> buflen,
> + */
> + ret = get_name(0, buf, next - rdlen, buf + buflen,
> + rsp, rsp_len, &output_len, &end,
> +- name, &name_len);
> ++ name, sizeof(name) - 1, &name_len);
> + if (ret != 0) {
> + /* just ignore the error at this point */
> + ptr = next;
> +--
> +cgit v1.1
> +
> diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb
> b/meta/recipes-connectivity/connman/connman_1.34.bb
> index 868f940..dc2c688 100644
> --- a/meta/recipes-connectivity/connman/connman_1.34.bb
> +++ b/meta/recipes-connectivity/connman/connman_1.34.bb
> @@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz
> \
> file://connman \
> file://no-version-scripts.patch \
> file://includes.patch \
> + file://CVE-2017-12865.patch \
> "
> SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch
> \
> "
> --
> 1.9.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 8313 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-08-29 16:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-08-21 12:05 [PATCH] connman: Fix for CVE-2017-12865 Sona Sarmadi
2017-08-29 16:25 ` Burton, Ross
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.