summary refs log tree commit diff
path: root/gnu/packages/patches/connman-CVE-2021-33833.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/connman-CVE-2021-33833.patch')
-rw-r--r--gnu/packages/patches/connman-CVE-2021-33833.patch74
1 files changed, 0 insertions, 74 deletions
diff --git a/gnu/packages/patches/connman-CVE-2021-33833.patch b/gnu/packages/patches/connman-CVE-2021-33833.patch
deleted file mode 100644
index 3e1a19d961..0000000000
--- a/gnu/packages/patches/connman-CVE-2021-33833.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-Fix CVE-2021-33833:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833
-
-Patch copied from upstream source repository:
-
-https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
-
-From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
-From: Valery Kashcheev <v.kascheev@omp.ru>
-Date: Mon, 7 Jun 2021 18:58:24 +0200
-Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy
-
-Fix using a stack-based buffer overflow attack by checking the length of
-the ptr and uptr buffers.
-
-Fix debug message output.
-
-Fixes: CVE-2021-33833
----
- src/dnsproxy.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/src/dnsproxy.c b/src/dnsproxy.c
-index de52df5a..38dbdd71 100644
---- a/src/dnsproxy.c
-+++ b/src/dnsproxy.c
-@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
- 		 * tmp buffer.
- 		 */
- 
--		debug("pos %d ulen %d left %d name %s", pos, ulen,
--			(int)(uncomp_len - (uptr - uncompressed)), uptr);
--
--		ulen = strlen(name);
--		if ((uptr + ulen + 1) > uncomp_end) {
-+		ulen = strlen(name) + 1;
-+		if ((uptr + ulen) > uncomp_end)
- 			goto out;
--		}
--		strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
-+		strncpy(uptr, name, ulen);
-+
-+		debug("pos %d ulen %d left %d name %s", pos, ulen,
-+			(int)(uncomp_end - (uptr + ulen)), uptr);
- 
- 		uptr += ulen;
--		*uptr++ = '\0';
- 
- 		ptr += pos;
- 
-@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
- 		} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
- 			dlen = uptr[-2] << 8 | uptr[-1];
- 
--			if (ptr + dlen > end) {
-+			if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
- 				debug("data len %d too long", dlen);
- 				goto out;
- 			}
-@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
- 			 * refresh interval, retry interval, expiration
- 			 * limit and minimum ttl). They are 20 bytes long.
- 			 */
-+			if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
-+				debug("soa record too long");
-+				goto out;
-+			}
- 			memcpy(uptr, ptr, 20);
- 			uptr += 20;
- 			ptr += 20;
--- 
-2.32.0
-