[1/1] package/connman: fix CVE-2025-32366

diff mbox series

Message ID	20250513080956.1578804-1-dario.binacchi@amarulasolutions.com
State	New
Headers	show Return-Path: <linux-amarula+bncBCQ4XFG47UFRBWX4RPAQMGQEOLFDPLI@amarulasolutions.com> Received-SPF: pass (google.com: domain of dario.binacchi@amarulasolutions.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41; From: Dario Binacchi <dario.binacchi@amarulasolutions.com> To: buildroot@buildroot.org Cc: Martin Bark <martin@barkynet.com>, linux-amarula@amarulasolutions.com, Dario Binacchi <dario.binacchi@amarulasolutions.com> Subject: [PATCH 1/1] package/connman: fix CVE-2025-32366 Date: Tue, 13 May 2025 10:09:56 +0200 Message-ID: <20250513080956.1578804-1-dario.binacchi@amarulasolutions.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list linux-amarula@amarulasolutions.com; contact linux-amarula+owners@amarulasolutions.com
Series	[1/1] package/connman: fix CVE-2025-32366
Related	show [1/1] package/connman: fix CVE-2025-32366

Message ID

20250513080956.1578804-1-dario.binacchi@amarulasolutions.com

State

New

Headers

Received-SPF: pass (google.com: domain of dario.binacchi@amarulasolutions.com
 designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
To: buildroot@buildroot.org
Cc: Martin Bark <martin@barkynet.com>,
	linux-amarula@amarulasolutions.com,
	Dario Binacchi <dario.binacchi@amarulasolutions.com>
Subject: [PATCH 1/1] package/connman: fix CVE-2025-32366
Date: Tue, 13 May 2025 10:09:56 +0200
Message-ID: <20250513080956.1578804-1-dario.binacchi@amarulasolutions.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list linux-amarula@amarulasolutions.com;
 contact linux-amarula+owners@amarulasolutions.com

Series

[1/1] package/connman: fix CVE-2025-32366

show

Commit Message

Dario Binacchi May 13, 2025, 8:09 a.m. UTC

In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
than the amount of remaining packet data in the current state of
parsing. As a result, values of stack memory locations may be sent
over the network in a response.

Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32366

Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
---
 ...Address-CVE-2025-32366-vulnerability.patch | 41 +++++++++++++++++++
 package/connman/connman.mk                    |  3 ++
 2 files changed, 44 insertions(+)
 create mode 100644 package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch

Comments

Peter Korsgaard May 13, 2025, 4:55 p.m. UTC | #1

>>>>> "Dario" == Dario Binacchi <dario.binacchi@amarulasolutions.com> writes:

 > In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
 > that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
 > and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
 > than the amount of remaining packet data in the current state of
 > parsing. As a result, values of stack memory locations may be sent
 > over the network in a response.

 > Fixes:
 > https://www.cve.org/CVERecord?id=CVE-2025-32366

 > Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>

Committed, thanks.

'Marko, Peter' via Amarula Linux May 31, 2025, 4:43 p.m. UTC | #2

On 13/05/2025 10:09, Dario Binacchi wrote:
> In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
> that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
> and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
> than the amount of remaining packet data in the current state of
> parsing. As a result, values of stack memory locations may be sent
> over the network in a response.
> 
> Fixes:
> https://www.cve.org/CVERecord?id=CVE-2025-32366
> 
> Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>

  Applied to 2025.02.x, thanks.

  Regards,
  Arnout

> ---
>   ...Address-CVE-2025-32366-vulnerability.patch | 41 +++++++++++++++++++
>   package/connman/connman.mk                    |  3 ++
>   2 files changed, 44 insertions(+)
>   create mode 100644 package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
> 
> diff --git a/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
> new file mode 100644
> index 000000000000..9651b2dfe473
> --- /dev/null
> +++ b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
> @@ -0,0 +1,41 @@
> +From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?=EC=8B=A0=EC=9C=A4=EC=A0=9C=28=ED=95=99=EB=B6=80=EC=83=9D-?=
> + =?UTF-8?q?=EC=86=8C=ED=94=84=ED=8A=B8=EC=9B=A8=EC=96=B4=EC=A0=84=EA=B3=B5?=
> + =?UTF-8?q?=29?= <ioerts@kookmin.ac.kr>
> +Date: Mon, 12 May 2025 10:48:18 +0200
> +Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
> +
> +In Connman parse_rr in dnsproxy.c has a memcpy length
> +that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
> +and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
> +than the amount of remaining packet data in the current state of
> +parsing. As a result, values of stack memory locations may be sent
> +over the network in a response.
> +
> +This patch adds a check to ensure that (*end + *rdlen) does not exceed
> +the valid range. If the condition is violated, the function returns
> +-EINVAL.
> +
> +Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
> +Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
> +---
> + src/dnsproxy.c | 3 +++
> + 1 file changed, 3 insertions(+)
> +
> +diff --git a/src/dnsproxy.c b/src/dnsproxy.c
> +index 7ee26d9ff886..1dd2f7f5d47e 100644
> +--- a/src/dnsproxy.c
> ++++ b/src/dnsproxy.c
> +@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
> + 	if ((offset + *rdlen) > *response_size)
> + 		return -ENOBUFS;
> +
> ++	if ((*end + *rdlen) > max)
> ++		return -EINVAL;
> ++
> + 	memcpy(response + offset, *end, *rdlen);
> +
> + 	*end += *rdlen;
> +--
> +2.43.0
> +
> diff --git a/package/connman/connman.mk b/package/connman/connman.mk
> index 5d515c296319..c9637eadf5aa 100644
> --- a/package/connman/connman.mk
> +++ b/package/connman/connman.mk
> @@ -16,6 +16,9 @@ CONNMAN_CPE_ID_VENDOR = intel
>   # 0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
>   CONNMAN_IGNORE_CVES += CVE-2025-32743
>   
> +# 0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
> +CONNMAN_IGNORE_CVES += CVE-2025-32366
> +
>   CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
>   
>   ifeq ($(BR2_INIT_SYSTEMD),y)

To unsubscribe from this group and stop receiving emails from it, send an email to linux-amarula+unsubscribe@amarulasolutions.com.

Patch

diff mbox series

diff --git a/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
new file mode 100644
index 000000000000..9651b2dfe473
--- /dev/null
+++ b/package/connman/0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
@@ -0,0 +1,41 @@ 
+From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=EC=8B=A0=EC=9C=A4=EC=A0=9C=28=ED=95=99=EB=B6=80=EC=83=9D-?=
+ =?UTF-8?q?=EC=86=8C=ED=94=84=ED=8A=B8=EC=9B=A8=EC=96=B4=EC=A0=84=EA=B3=B5?=
+ =?UTF-8?q?=29?= <ioerts@kookmin.ac.kr>
+Date: Mon, 12 May 2025 10:48:18 +0200
+Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability
+
+In Connman parse_rr in dnsproxy.c has a memcpy length
+that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
+and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
+than the amount of remaining packet data in the current state of
+parsing. As a result, values of stack memory locations may be sent
+over the network in a response.
+
+This patch adds a check to ensure that (*end + *rdlen) does not exceed
+the valid range. If the condition is violated, the function returns
+-EINVAL.
+
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4
+---
+ src/dnsproxy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 7ee26d9ff886..1dd2f7f5d47e 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
+ 	if ((offset + *rdlen) > *response_size)
+ 		return -ENOBUFS;
+ 
++	if ((*end + *rdlen) > max)
++		return -EINVAL;
++
+ 	memcpy(response + offset, *end, *rdlen);
+ 
+ 	*end += *rdlen;
+-- 
+2.43.0
+
diff --git a/package/connman/connman.mk b/package/connman/connman.mk
index 5d515c296319..c9637eadf5aa 100644
--- a/package/connman/connman.mk
+++ b/package/connman/connman.mk
@@ -16,6 +16,9 @@  CONNMAN_CPE_ID_VENDOR = intel
 # 0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
 CONNMAN_IGNORE_CVES += CVE-2025-32743
 
+# 0002-dnsproxy-Address-CVE-2025-32366-vulnerability.patch
+CONNMAN_IGNORE_CVES += CVE-2025-32366
+
 CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
 
 ifeq ($(BR2_INIT_SYSTEMD),y)

[1/1] package/connman: fix CVE-2025-32366 4000 diff mbox series

Commit Message

Comments

Patch 4000 diff mbox series

[1/1] package/connman: fix CVE-2025-32366
diff mbox series

Patch
diff mbox series