|
|
@@ -0,0 +1,46 @@
|
|
|
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
|
|
|
+From: Praveen Kumar <praveen.kumar@windriver.com>
|
|
|
+Date: Thu, 24 Apr 2025 11:39:29 +0000
|
|
|
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
|
|
|
+
|
|
|
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
|
|
|
+can be NULL or an empty string when the TC (Truncated) bit is set in
|
|
|
+a DNS response. This allows attackers to cause a denial of service
|
|
|
+(application crash) or possibly execute arbitrary code, because those
|
|
|
+lookup values lead to incorrect length calculations and incorrect
|
|
|
+memcpy operations.
|
|
|
+
|
|
|
+This patch includes a check to make sure loookup value is valid before
|
|
|
+using it. This helps avoid unexpected value when the input is empty or
|
|
|
+incorrect.
|
|
|
+
|
|
|
+Fixes: CVE-2025-32743
|
|
|
+
|
|
|
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
|
|
|
+Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
|
|
|
+---
|
|
|
+ src/dnsproxy.c | 7 ++++++-
|
|
|
+ 1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
+
|
|
|
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
|
|
|
+index f28a5d7551a4..7ee26d9ff886 100644
|
|
|
+--- a/src/dnsproxy.c
|
|
|
++++ b/src/dnsproxy.c
|
|
|
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
|
|
|
+ gpointer request, gpointer name)
|
|
|
+ {
|
|
|
+ int sk = -1;
|
|
|
++ int err;
|
|
|
+ const char *lookup = (const char *)name;
|
|
|
+- int err = ns_try_resolv_from_cache(req, request, lookup);
|
|
|
++
|
|
|
++ if (!lookup || strlen(lookup) == 0)
|
|
|
++ return -EINVAL;
|
|
|
++
|
|
|
++ err = ns_try_resolv_from_cache(req, request, lookup);
|
|
|
+
|
|
|
+ if (err > 0)
|
|
|
+ /* cache hit */
|
|
|
+--
|
|
|
+2.43.0
|
|
|
+
|
Dario Binacchi