diff options
Diffstat (limited to 'gnu/packages/patches/connman-CVE-2021-33833.patch')
-rw-r--r-- | gnu/packages/patches/connman-CVE-2021-33833.patch | 74 |
1 files changed, 0 insertions, 74 deletions
diff --git a/gnu/packages/patches/connman-CVE-2021-33833.patch b/gnu/packages/patches/connman-CVE-2021-33833.patch deleted file mode 100644 index 3e1a19d961..0000000000 --- a/gnu/packages/patches/connman-CVE-2021-33833.patch +++ /dev/null @@ -1,74 +0,0 @@ -Fix CVE-2021-33833: - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833 - -Patch copied from upstream source repository: - -https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c - -From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 -From: Valery Kashcheev <v.kascheev@omp.ru> -Date: Mon, 7 Jun 2021 18:58:24 +0200 -Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy - -Fix using a stack-based buffer overflow attack by checking the length of -the ptr and uptr buffers. - -Fix debug message output. - -Fixes: CVE-2021-33833 ---- - src/dnsproxy.c | 20 +++++++++++--------- - 1 file changed, 11 insertions(+), 9 deletions(-) - -diff --git a/src/dnsproxy.c b/src/dnsproxy.c -index de52df5a..38dbdd71 100644 ---- a/src/dnsproxy.c -+++ b/src/dnsproxy.c -@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, - * tmp buffer. - */ - -- debug("pos %d ulen %d left %d name %s", pos, ulen, -- (int)(uncomp_len - (uptr - uncompressed)), uptr); -- -- ulen = strlen(name); -- if ((uptr + ulen + 1) > uncomp_end) { -+ ulen = strlen(name) + 1; -+ if ((uptr + ulen) > uncomp_end) - goto out; -- } -- strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); -+ strncpy(uptr, name, ulen); -+ -+ debug("pos %d ulen %d left %d name %s", pos, ulen, -+ (int)(uncomp_end - (uptr + ulen)), uptr); - - uptr += ulen; -- *uptr++ = '\0'; - - ptr += pos; - -@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, - } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { - dlen = uptr[-2] << 8 | uptr[-1]; - -- if (ptr + dlen > end) { -+ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { - debug("data len %d too long", dlen); - goto out; - } -@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, - * refresh interval, retry interval, expiration - * limit and minimum ttl). They are 20 bytes long. - */ -+ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { -+ debug("soa record too long"); -+ goto out; -+ } - memcpy(uptr, ptr, 20); - uptr += 20; - ptr += 20; --- -2.32.0 - |