mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
c-ares: fix CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1. References: https://nvd.nist.gov/vuln/detail/CVE-2023-32067 https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
5fb3554563
commit
fec772d55f
@@ -0,0 +1,87 @@
|
|||||||
|
From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brad House <brad@brad-house.com>
|
||||||
|
Date: Mon, 22 May 2023 06:51:49 -0400
|
||||||
|
Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
|
||||||
|
|
||||||
|
CVE: CVE-2023-32067
|
||||||
|
|
||||||
|
Upstream Status: Backport
|
||||||
|
[https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae]
|
||||||
|
|
||||||
|
Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
|
||||||
|
---
|
||||||
|
src/lib/ares_process.c | 41 +++++++++++++++++++++++++----------------
|
||||||
|
1 file changed, 25 insertions(+), 16 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
|
||||||
|
index bf0cde4..6cac0a9 100644
|
||||||
|
--- a/src/lib/ares_process.c
|
||||||
|
+++ b/src/lib/ares_process.c
|
||||||
|
@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
|
||||||
|
{
|
||||||
|
struct server_state *server;
|
||||||
|
int i;
|
||||||
|
- ares_ssize_t count;
|
||||||
|
+ ares_ssize_t read_len;
|
||||||
|
unsigned char buf[MAXENDSSZ + 1];
|
||||||
|
#ifdef HAVE_RECVFROM
|
||||||
|
ares_socklen_t fromlen;
|
||||||
|
@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
|
||||||
|
/* To reduce event loop overhead, read and process as many
|
||||||
|
* packets as we can. */
|
||||||
|
do {
|
||||||
|
- if (server->udp_socket == ARES_SOCKET_BAD)
|
||||||
|
- count = 0;
|
||||||
|
-
|
||||||
|
- else {
|
||||||
|
- if (server->addr.family == AF_INET)
|
||||||
|
+ if (server->udp_socket == ARES_SOCKET_BAD) {
|
||||||
|
+ read_len = -1;
|
||||||
|
+ } else {
|
||||||
|
+ if (server->addr.family == AF_INET) {
|
||||||
|
fromlen = sizeof(from.sa4);
|
||||||
|
- else
|
||||||
|
+ } else {
|
||||||
|
fromlen = sizeof(from.sa6);
|
||||||
|
- count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
|
||||||
|
- sizeof(buf), 0, &from.sa, &fromlen);
|
||||||
|
+ }
|
||||||
|
+ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
|
||||||
|
+ sizeof(buf), 0, &from.sa, &fromlen);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (count == -1 && try_again(SOCKERRNO))
|
||||||
|
+ if (read_len == 0) {
|
||||||
|
+ /* UDP is connectionless, so result code of 0 is a 0-length UDP
|
||||||
|
+ * packet, and not an indication the connection is closed like on
|
||||||
|
+ * tcp */
|
||||||
|
continue;
|
||||||
|
- else if (count <= 0)
|
||||||
|
+ } else if (read_len < 0) {
|
||||||
|
+ if (try_again(SOCKERRNO))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
handle_error(channel, i, now);
|
||||||
|
+
|
||||||
|
#ifdef HAVE_RECVFROM
|
||||||
|
- else if (!same_address(&from.sa, &server->addr))
|
||||||
|
+ } else if (!same_address(&from.sa, &server->addr)) {
|
||||||
|
/* The address the response comes from does not match the address we
|
||||||
|
* sent the request to. Someone may be attempting to perform a cache
|
||||||
|
* poisoning attack. */
|
||||||
|
- break;
|
||||||
|
+ continue;
|
||||||
|
#endif
|
||||||
|
- else
|
||||||
|
- process_answer(channel, buf, (int)count, i, 0, now);
|
||||||
|
- } while (count > 0);
|
||||||
|
+
|
||||||
|
+ } else {
|
||||||
|
+ process_answer(channel, buf, (int)read_len, i, 0, now);
|
||||||
|
+ }
|
||||||
|
+ } while (read_len >= 0);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -5,7 +5,9 @@ SECTION = "libs"
|
|||||||
LICENSE = "MIT"
|
LICENSE = "MIT"
|
||||||
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
|
LIC_FILES_CHKSUM = "file://LICENSE.md;md5=fb997454c8d62aa6a47f07a8cd48b006"
|
||||||
|
|
||||||
SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https"
|
SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
|
||||||
|
file://CVE-2023-32067.patch \
|
||||||
|
"
|
||||||
SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976"
|
SRCREV = "fddf01938d3789e06cc1c3774e4cd0c7d2a89976"
|
||||||
|
|
||||||
UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"
|
UPSTREAM_CHECK_GITTAGREGEX = "cares-(?P<pver>\d+_(\d_?)+)"
|
||||||
|
|||||||
Reference in New Issue
Block a user