mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-07 16:59:22 +00:00
Code Issues Projects Releases Wiki Activity

connman: fix CVE-2023-28488 DoS in client.c

Browse Source 
Upstream-Status: Backport from https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138

(From OE-Core rev: 7a5d78de47cdd79bcb1b0e62a65e10705d59a7d9)

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Hitendra Prajapati
2023-05-02 18:08:21 +05:30
committed by Steve Sakoman
parent 813d4715e4
commit 7aac01a2a7
2 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-connectivity/connman/connman/CVE-2023-28488.patch
+60
View File
@@ -0,0 +1,60 @@
From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001
From: Daniel Wagner <wagi@monom.org>
Date: Tue, 11 Apr 2023 08:12:56 +0200
Subject: gdhcp: Verify and sanitize packet length first
Avoid overwriting the read packet length after the initial test. Thus
move all the length checks which depends on the total length first
and do not use the total lenght from the IP packet afterwards.
Reported by Polina Smirnova <moe.hwr@gmail.com>
CVE: CVE-2023-28488
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=99e2c16ea1cced34a5dc450d76287a1c3e762138]
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
gdhcp/client.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/gdhcp/client.c b/gdhcp/client.c
index 3016dfc..28fa606 100644
--- a/gdhcp/client.c
+++ b/gdhcp/client.c
@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes)
static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
struct sockaddr_in *dst_addr)
{
- int bytes;
struct ip_udp_dhcp_packet packet;
uint16_t check;
+ int bytes, tot_len;
memset(&packet, 0, sizeof(packet));
@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd,
if (bytes < 0)
return -1;
- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
- return -1;
-
- if (bytes < ntohs(packet.ip.tot_len))
+ tot_len = ntohs(packet.ip.tot_len);
+ if (bytes > tot_len) {
+ /* ignore any extra garbage bytes */
+ bytes = tot_len;
+ } else if (bytes < tot_len) {
/* packet is bigger than sizeof(packet), we did partial read */
return -1;
+ }
- /* ignore any extra garbage bytes */
- bytes = ntohs(packet.ip.tot_len);
+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp)))
+ return -1;
if (!sanity_check(&packet, bytes))
return -1;
--
2.25.1
meta/recipes-connectivity/connman/connman_1.41.bb
+1
View File
@@ -8,6 +8,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://CVE-2022-32293_p1.patch \
file://CVE-2022-32293_p2.patch \
file://CVE-2022-32292.patch \
file://CVE-2023-28488.patch \
"
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"