[2/2] package/connman: fix CVE-2025-32743
diff mbox series

Message ID 20250512163253.1521000-2-dario.binacchi@amarulasolutions.com
State New
Headers show
Series
  • [1/2] package/connman: bump to version 1.44
Related show

Commit Message

Dario Binacchi May 12, 2025, 4:32 p.m. UTC 
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.

Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
---
 ...L-empty-lookup-causing-potential-cra.patch | 46 +++++++++++++++++++
 package/connman/connman.mk                    |  3 ++
 2 files changed, 49 insertions(+)
 create mode 100644 package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch

Patch
diff mbox series 

diff --git a/package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch b/package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
new file mode 100644
index 000000000000..9c1274e43ce5
--- /dev/null
+++ b/package/connman/0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
@@ -0,0 +1,46 @@ 
+From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
+From: Praveen Kumar <praveen.kumar@windriver.com>
+Date: Thu, 24 Apr 2025 11:39:29 +0000
+Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
+
+In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
+can be NULL or an empty string when the TC (Truncated) bit is set in
+a DNS response. This allows attackers to cause a denial of service
+(application crash) or possibly execute arbitrary code, because those
+lookup values lead to incorrect length calculations and incorrect
+memcpy operations.
+
+This patch includes a check to make sure loookup value is valid before
+using it. This helps avoid unexpected value when the input is empty or
+incorrect.
+
+Fixes: CVE-2025-32743
+
+Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
+Upstream: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f
+---
+ src/dnsproxy.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index f28a5d7551a4..7ee26d9ff886 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1685,8 +1685,13 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
+ 				gpointer request, gpointer name)
+ {
+ 	int sk = -1;
++	int err;
+ 	const char *lookup = (const char *)name;
+-	int err = ns_try_resolv_from_cache(req, request, lookup);
++
++	if (!lookup || strlen(lookup) == 0)
++		return -EINVAL;
++
++	err = ns_try_resolv_from_cache(req, request, lookup);
+ 
+ 	if (err > 0)
+ 		/* cache hit */
+-- 
+2.43.0
+
diff --git a/package/connman/connman.mk b/package/connman/connman.mk
index 2c5be8252c6e..5d515c296319 100644
--- a/package/connman/connman.mk
+++ b/package/connman/connman.mk
@@ -13,6 +13,9 @@  CONNMAN_LICENSE = GPL-2.0
 CONNMAN_LICENSE_FILES = COPYING
 CONNMAN_CPE_ID_VENDOR = intel
 
+# 0001-dnsproxy-Fix-NULL-empty-lookup-causing-potential-cra.patch
+CONNMAN_IGNORE_CVES += CVE-2025-32743
+
 CONNMAN_CONF_OPTS = --with-dbusconfdir=/etc
 
 ifeq ($(BR2_INIT_SYSTEMD),y)