mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-08 12:20:41 -05:00
ee48e784b9
* gnu/packages/patches/connman-CVE-2021-33833.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/connman.scm (connman)[source]: Use it.
74 lines
2.1 KiB
Diff
74 lines
2.1 KiB
Diff
Fix CVE-2021-33833:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
|
|
|
|
From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
|
|
From: Valery Kashcheev <v.kascheev@omp.ru>
|
|
Date: Mon, 7 Jun 2021 18:58:24 +0200
|
|
Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy
|
|
|
|
Fix using a stack-based buffer overflow attack by checking the length of
|
|
the ptr and uptr buffers.
|
|
|
|
Fix debug message output.
|
|
|
|
Fixes: CVE-2021-33833
|
|
---
|
|
src/dnsproxy.c | 20 +++++++++++---------
|
|
1 file changed, 11 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
|
|
index de52df5a..38dbdd71 100644
|
|
--- a/src/dnsproxy.c
|
|
+++ b/src/dnsproxy.c
|
|
@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
|
|
* tmp buffer.
|
|
*/
|
|
|
|
- debug("pos %d ulen %d left %d name %s", pos, ulen,
|
|
- (int)(uncomp_len - (uptr - uncompressed)), uptr);
|
|
-
|
|
- ulen = strlen(name);
|
|
- if ((uptr + ulen + 1) > uncomp_end) {
|
|
+ ulen = strlen(name) + 1;
|
|
+ if ((uptr + ulen) > uncomp_end)
|
|
goto out;
|
|
- }
|
|
- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
|
|
+ strncpy(uptr, name, ulen);
|
|
+
|
|
+ debug("pos %d ulen %d left %d name %s", pos, ulen,
|
|
+ (int)(uncomp_end - (uptr + ulen)), uptr);
|
|
|
|
uptr += ulen;
|
|
- *uptr++ = '\0';
|
|
|
|
ptr += pos;
|
|
|
|
@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
|
|
} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
|
|
dlen = uptr[-2] << 8 | uptr[-1];
|
|
|
|
- if (ptr + dlen > end) {
|
|
+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
|
|
debug("data len %d too long", dlen);
|
|
goto out;
|
|
}
|
|
@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
|
|
* refresh interval, retry interval, expiration
|
|
* limit and minimum ttl). They are 20 bytes long.
|
|
*/
|
|
+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
|
|
+ debug("soa record too long");
|
|
+ goto out;
|
|
+ }
|
|
memcpy(uptr, ptr, 20);
|
|
uptr += 20;
|
|
ptr += 20;
|
|
--
|
|
2.32.0
|
|
|