From patchwork Mon May 12 08:48:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Nazzareno Trimarchi X-Patchwork-Id: 3972 Return-Path: X-Original-To: linux-amarula@patchwork.amarulasolutions.com Delivered-To: linux-amarula@patchwork.amarulasolutions.com Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by ganimede.amarulasolutions.com (Postfix) with ESMTPS id 296513F31C for ; Mon, 12 May 2025 10:48:26 +0200 (CEST) Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-43ceeaf1524sf15789445e9.1 for ; Mon, 12 May 2025 01:48:26 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1747039706; cv=pass; d=google.com; s=arc-20240605; b=MRgHzeQshcj8WbY7teEY8hcrEgBcqc50qEwU47wky/atrgYLQoK1DWONpb/iogVCzM gWPLQz5ufEi6aYXX6OhjxFT2Ty9a4wRmaNqonb4v571rHqLmVrjY3RjYFTwYAS7CJbnr XBFjw6PWNGfPbcBnRB+NgNgcg43quR27sTSg45rNGYwCFSgwBfg7jBy0SSAZL/gXAcsq lPxtXDts0R+76G7YfWiVCUUVO2RZ5nAqym31CdmSzr2DeQimKsCLGnM8o0yEHxpokyUh Z0ahmz/cA/hBYbwVLQdtUzsfvY5HDOSQd3PdBs9NUdJREsaV0fhXluMp5PNWKRUi78eD p/9w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=FLdsEijmVZOeFaaZfLLpgAgo1ySjt5S3KrNjDqAPw5E=; fh=p4HXeozWhTarONci9VS5HSHZD699YJXOX2OoJpFksCk=; b=UQ4zyajpT+oXWajOyB0GBX37xSRNI54otTiaGIKH5k2gNW+QijbcLzFn2r68ERdbX+ FzKApM5eCc85qedw7y0DB1JUQ6anjc8RvbYQhr+Gs2p4Dg1SpOKpZ+y+toLEqEwlCPjJ JGelD7ZE7YyOlIZROQhFrF7aiYQAhrhzZMK6TOp54VhpWJ7Sa7/fZCYBL/9ay5w1K2Jd tAj5Bn2nm9o7U6zC0rjJ6ZmFzycFZUBz7ZunxntdOUkLFQGSJL/DQY2HrCXCeBfsP1ye JzsIKYn88+zjP3A4LYKhWLC1jFNTHgZ7nXtxaYRN8FIhzjPv1S9Gtz0G+nYACkwffEAG HryQ==; darn=patchwork.amarulasolutions.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=B3wfhWwN; spf=pass (google.com: domain of michael@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=michael@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amarulasolutions.com; s=google; t=1747039706; x=1747644506; darn=patchwork.amarulasolutions.com; h=list-unsubscribe:list-archive:list-help:list-post:list-id :mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:mime-version:message-id :date:subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=FLdsEijmVZOeFaaZfLLpgAgo1ySjt5S3KrNjDqAPw5E=; b=QShJ6L0UvNeS38hvsMU0Tp+VtAA64WfcjoOK/ThBsq3fCn6T0TjRL/gpTHk3QsmqdA pXZw7mzGpzBT67MrNr+mn/gdHh/0jnWoy2fokKQtWyfzy2xghMOIIGDGb+W7Zb6/7AHE qbODjk6Gk9FA3Xe4QfjVEC6CtQKJBLw4xEv7U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747039706; x=1747644506; h=list-unsubscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender :content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=FLdsEijmVZOeFaaZfLLpgAgo1ySjt5S3KrNjDqAPw5E=; b=iOPkEKhnobQUlB2EoHuC3JSirWRzC+pxE40kT+lJuZ1zNVOyDvfON3OapvYt84DOTu Ik16Xv8L/DR5HbAKoGXok1o6Yd81EYILwP5qS8RTKQG+s/7/r7ADvLriIpi2n10KOQ4A O7LDhw5uYYrOaJYTwlqNyOymzR9N+1ZjfdituN6sBHak7w1HFZeXhHRQeQek5Cv4GrKe l4iB64T7ZXoVI71aSRLnCH3MaBPdvRLrBn+5+rLLr08ITVAsGRl0PY7IBeRuRQj0HF+o y+Sv4NApF2dpC7Wy5ku5sBhJFe8CTpLIEhPuJ1GZt54AF0neVowzkWCIx3DI0OB6YuJd fH/A== X-Forwarded-Encrypted: i=2; AJvYcCUqoE3+drQUA8P6BFpoQHmreiFjuP7maE/NmXT/BNUmNVPu4OqoPSHPM8kvgKeaCVtXTqU9z7pqk8Fn2sGQ@patchwork.amarulasolutions.com X-Gm-Message-State: AOJu0YxhDjmgSzzXJwKh2A5dEtq7BQVdT5DHrwiGaxIiL7ye6UrqP8nC 6JU+LcrwSQzG7R41rS1XgT8rXtaGlmpsg26uJRVkWmT5F55hNsFBzH+qKrXW1LkK2hBvEL0lqg= = X-Google-Smtp-Source: AGHT+IHOTGcofquH1VzkH0n8FMiM0cYxUHlvdEpa3JJKXRnyZsD5max2l3JBLLs2/uz8lnD9D0Yvzg== X-Received: by 2002:a05:600c:1808:b0:43b:bb72:1dce with SMTP id 5b1f17b1804b1-442d02ca7c1mr88759075e9.5.1747039705399; Mon, 12 May 2025 01:48:25 -0700 (PDT) X-BeenThere: linux-amarula@amarulasolutions.com; h=AVT/gBEGx6Bo3044nZlNObcnw0l4A7U9ng7IlSutuEG71kKjgg== Received: by 2002:a05:600c:1e09:b0:43c:f636:85d0 with SMTP id 5b1f17b1804b1-442d0783b74ls12446575e9.1.-pod-prod-00-eu; Mon, 12 May 2025 01:48:23 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXYMistEVKC3NeLB/MzwsOTDTalFSnpmK6A6HcxAl6kuSCAFXceAqZ67i90N9gCN/xpehjnvLbM1rcTgDfx@amarulasolutions.com X-Received: by 2002:a05:6000:2cd:b0:3a0:8020:8aed with SMTP id ffacd0b85a97d-3a1f6c9c3bbmr10203427f8f.21.1747039702633; Mon, 12 May 2025 01:48:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747039702; cv=none; d=google.com; s=arc-20240605; b=aIlnb+qiCiFPXBdHt1cs341LCv+rspGS58WFl74YpY8nt5/sP7dZecoz2i0aWRrL38 zbRUnRW6VNRkP/UUpyaFgOij34fwfPHVf9nEUwZgRJtgbRFTOuG+/sTBdi+E+m7L2noG b1DEngHlZdCCaR5CdS9oReh2mAmJUU26QXPpBn+F5A08//kNLj+n6nh3SGOMOjN2hv9+ PXfWUsL8QSDEnSLSWta7vIof6weY3IyFp7C1dVCDhuuIk+swHLzsLCm2fU1UDxPsvpfK J4hbiPAeC7oWtst7tCIR0zaUHYS6KnwVRIWiEEPVXUWX5mJRv8SdbFRsu5HRLCzTT7h8 F+Tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=C7OEnkAOJ/6/TD/MfQCyymBINdrfGDywhdVSmnWsJC0=; fh=xtn/Qp7/1JRDhIDyayrlrAcvH1ac0Wl25/Nr7Zyq+Qg=; b=IsOIYZKWi7pU5jZSaIHqFT6pMa/OH2MExHjc18LkWlTYkG/md81dFy/XLXsl0AzhAo L+oVVNbQZZe9GqisFpitsHBPfoX9DjZ+f+XIwuuGMMO7diUEy0WZ4qSOxdy1b5fCfmg6 S06RMyG/Zsy2IG1qNTHSdR88u0PIcO5xGPGXUDE3lsP+IdMHp570Ly+u8lp3bWL8JzpO PfXMl6f2Zr7UZ9fK9GgA/nvBpql7pKtcqPAh3cdKnAbZwgsL4vCx2BFmi8PEwcCZgE24 mB74M/0dlTGb6sPaypDZJ48ysB7/Wivg0u+gF6XXN4IjUEj/AekADkh9VVGwu/IVjAHd 4DUA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=B3wfhWwN; spf=pass (google.com: domain of michael@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=michael@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41]) by mx.google.com with SMTPS id ffacd0b85a97d-3a1f5a5cad8sor1831273f8f.1.2025.05.12.01.48.22 for (Google Transport Security); Mon, 12 May 2025 01:48:22 -0700 (PDT) Received-SPF: pass (google.com: domain of michael@amarulasolutions.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41; X-Forwarded-Encrypted: i=1; AJvYcCWMV/VWfbIIzhDSw+kUxi1Y+hyorijrrGPJmSoFiRWg8fP8mcjw40kKTvLXoqsZY01NLycuLijXlhVyIq/1@amarulasolutions.com X-Gm-Gg: ASbGncuE7SoWI08L4u+Fbm5qAYCGf1TWNsQO+G+9k/y/LGJlBqxm+ZT+q++c9OLBQvR 93nyxns7NwFXkabzLh9gW7Z1M328cBOgS5kQnSACCKYACG+qW8elVqOggW2TUQN44WM+rJuXwGE P1rzBVHsYMtb7wGrz3tskV57/mr7OUryCDFY3AH/s5mn7zNExa+Hrj6kxelMadA6VlAlt+cljZP hlOc+uBY/iOW0MFSKOUC1zj2UtSxZYXLt1Cdu7VPEtVx2nyJq4J756qlBVDcVlnwZo8ThfBk22A 36/DEn9ceniYE7j/sjgsEEEDM8St1TTaObBqr5cuazxEM5pmRq2+zKLgoWLy2aHedVDSz0pqJgy SSiUEsSjhR5WhWg7Q+EhOy8MX9Q== X-Received: by 2002:a5d:55d1:0:b0:3a1:fc5b:372a with SMTP id ffacd0b85a97d-3a1fc5b37cemr7415878f8f.24.1747039702185; Mon, 12 May 2025 01:48:22 -0700 (PDT) Received: from panicking.fritz.box (p5b26784b.dip0.t-ipconnect.de. [91.38.120.75]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a1f5a4c5e1sm11529359f8f.89.2025.05.12.01.48.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 May 2025 01:48:21 -0700 (PDT) From: Michael Trimarchi To: connman@lists.linux.dev Cc: denkenz@gmail.com, linux-amarula@amarulasolutions.com, =?utf-8?b?7Iug?= =?utf-8?b?7Jyk7KCcKO2Vmeu2gOyDnS3shoztlITtirjsm6jslrTsoITqs7Up?= Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability Date: Mon, 12 May 2025 10:48:18 +0200 Message-ID: <20250512084818.411262-1-michael@amarulasolutions.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" X-Original-Sender: michael@amarulasolutions.com X-Original-Authentication-Results: mx.google.com; dkim=pass header.i=@amarulasolutions.com header.s=google header.b=B3wfhWwN; spf=pass (google.com: domain of michael@amarulasolutions.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=michael@amarulasolutions.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=amarulasolutions.com; dara=pass header.i=@amarulasolutions.com Precedence: list Mailing-list: list linux-amarula@amarulasolutions.com; contact linux-amarula+owners@amarulasolutions.com List-ID: X-Spam-Checked-In-Group: linux-amarula@amarulasolutions.com X-Google-Group-Id: 476853432473 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , From: 신윤제(학부생-소프트웨어전공) In Connman parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger than the amount of remaining packet data in the current state of parsing. As a result, values of stack memory locations may be sent over the network in a response. This patch adds a check to ensure that (*end + *rdlen) does not exceed the valid range. If the condition is violated, the function returns -EINVAL. --- V1->V2: - resent using proper inline patch --- src/dnsproxy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/dnsproxy.c b/src/dnsproxy.c index 7ee26d9f..1dd2f7f5 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -998,6 +998,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start, if ((offset + *rdlen) > *response_size) return -ENOBUFS; + if ((*end + *rdlen) > max) + return -EINVAL; + memcpy(response + offset, *end, *rdlen); *end += *rdlen;