ConnMan network manager
 help / color / Atom feed
* [PATCH] dnsproxy: Check the length of buffers before memcpy
@ 2021-06-09  7:59 Daniel Wagner
  2021-06-09  8:00 ` Daniel Wagner
  0 siblings, 1 reply; 2+ messages in thread
From: Daniel Wagner @ 2021-06-09  7:59 UTC (permalink / raw)
  To: connman; +Cc: Valery Kashcheev

From: Valery Kashcheev <v.kascheev@omp.ru>

Fix using a stack-based buffer overflow attack by checking the length of
the ptr and uptr buffers.

Fix debug message output.

Fixes: CVE-2021-33833
---
 src/dnsproxy.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index de52df5ad0a0..38dbdd71e425 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
 		 * tmp buffer.
 		 */
 
-		debug("pos %d ulen %d left %d name %s", pos, ulen,
-			(int)(uncomp_len - (uptr - uncompressed)), uptr);
-
-		ulen = strlen(name);
-		if ((uptr + ulen + 1) > uncomp_end) {
+		ulen = strlen(name) + 1;
+		if ((uptr + ulen) > uncomp_end)
 			goto out;
-		}
-		strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
+		strncpy(uptr, name, ulen);
+
+		debug("pos %d ulen %d left %d name %s", pos, ulen,
+			(int)(uncomp_end - (uptr + ulen)), uptr);
 
 		uptr += ulen;
-		*uptr++ = '\0';
 
 		ptr += pos;
 
@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
 		} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
 			dlen = uptr[-2] << 8 | uptr[-1];
 
-			if (ptr + dlen > end) {
+			if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
 				debug("data len %d too long", dlen);
 				goto out;
 			}
@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
 			 * refresh interval, retry interval, expiration
 			 * limit and minimum ttl). They are 20 bytes long.
 			 */
+			if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
+				debug("soa record too long");
+				goto out;
+			}
 			memcpy(uptr, ptr, 20);
 			uptr += 20;
 			ptr += 20;
-- 
2.31.1

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] dnsproxy: Check the length of buffers before memcpy
  2021-06-09  7:59 [PATCH] dnsproxy: Check the length of buffers before memcpy Daniel Wagner
@ 2021-06-09  8:00 ` Daniel Wagner
  0 siblings, 0 replies; 2+ messages in thread
From: Daniel Wagner @ 2021-06-09  8:00 UTC (permalink / raw)
  To: connman; +Cc: Valery Kashcheev

Hi,

On Wed, Jun 09, 2021 at 09:59:35AM +0200, Daniel Wagner wrote:
> From: Valery Kashcheev <v.kascheev@omp.ru>
> 
> Fix using a stack-based buffer overflow attack by checking the length of
> the ptr and uptr buffers.
> 
> Fix debug message output.
> 
> Fixes: CVE-2021-33833

Patch applied.

Thanks,
Daniel

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-09  7:59 [PATCH] dnsproxy: Check the length of buffers before memcpy Daniel Wagner
2021-06-09  8:00 ` Daniel Wagner

ConnMan network manager

Archives are clonable:
	git clone --mirror https://lore.kernel.org/connman/0 connman/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 connman connman/ https://lore.kernel.org/connman \
		connman@lists.linux.dev
	public-inbox-index connman

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/dev.linux.lists.connman


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git