mirror of
https://git.yoctoproject.org/poky
synced 2026-05-31 00:39:46 +00:00
connman :fix CVE-2025-32743
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c can be NULL or an empty string when the TC (Truncated) bit is set in a DNS response. This allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code, because those lookup values lead to incorrect length calculations and incorrect memcpy operations. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32743 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f (From OE-Core rev: 9558ec2091964556b47b0909c5d243aee5bafb6f) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Praveen Kumar
committed by
Steve Sakoman
Steve Sakoman
parent
e4df627b22
commit
86ea2699ac
@@ -0,0 +1,48 @@
|
|||||||
|
From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Praveen Kumar <praveen.kumar@windriver.com>
|
||||||
|
Date: Thu, 24 Apr 2025 11:39:29 +0000
|
||||||
|
Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
|
||||||
|
|
||||||
|
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
|
||||||
|
can be NULL or an empty string when the TC (Truncated) bit is set in
|
||||||
|
a DNS response. This allows attackers to cause a denial of service
|
||||||
|
(application crash) or possibly execute arbitrary code, because those
|
||||||
|
lookup values lead to incorrect length calculations and incorrect
|
||||||
|
memcpy operations.
|
||||||
|
|
||||||
|
This patch includes a check to make sure loookup value is valid before
|
||||||
|
using it. This helps avoid unexpected value when the input is empty or
|
||||||
|
incorrect.
|
||||||
|
|
||||||
|
Fixes: CVE-2025-32743
|
||||||
|
|
||||||
|
CVE: CVE-2025-32743
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
|
||||||
|
|
||||||
|
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
|
||||||
|
---
|
||||||
|
src/dnsproxy.c | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
|
||||||
|
index 7ebffbc..1a5a4f3 100644
|
||||||
|
--- a/src/dnsproxy.c
|
||||||
|
+++ b/src/dnsproxy.c
|
||||||
|
@@ -1669,8 +1669,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
|
||||||
|
gpointer request, gpointer name)
|
||||||
|
{
|
||||||
|
int sk = -1;
|
||||||
|
+ int err;
|
||||||
|
const char *lookup = (const char *)name;
|
||||||
|
- int err = ns_try_resolv_from_cache(req, request, lookup);
|
||||||
|
+
|
||||||
|
+ if (!lookup || strlen(lookup) == 0)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
+ err = ns_try_resolv_from_cache(req, request, lookup);
|
||||||
|
|
||||||
|
if (err > 0)
|
||||||
|
/* cache hit */
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -7,6 +7,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
|
|||||||
file://no-version-scripts.patch \
|
file://no-version-scripts.patch \
|
||||||
file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
|
file://0001-vpn-Adding-support-for-latest-pppd-2.5.0-release.patch \
|
||||||
file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
|
file://0001-src-log.c-Include-libgen.h-for-basename-API.patch \
|
||||||
|
file://CVE-2025-32743.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
|
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
|
||||||
|
|||||||
Reference in New Issue
Block a user