CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-04 16:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

connman :fix CVE-2025-32743

Browse Source 
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32743

Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f

(From OE-Core rev: ece0fb01bf28fa114f0a6e479491b4b6f565c80c)

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Praveen Kumar 2025-05-07 11:48:58 +00:00 committed by Steve Sakoman
parent 73c2187fbc
commit 9b99800fe7
2 changed files with 44 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
meta/recipes-connectivity/connman/connman/CVE-2025-32743.patch Normal file
View File

@ -0,0 +1,43 @@
From d90b911f6760959bdf1393c39fe8d1118315490f Mon Sep 17 00:00:00 2001
From: Praveen Kumar <praveen.kumar@windriver.com>
Date: Thu, 24 Apr 2025 11:39:29 +0000
Subject: [PATCH] dnsproxy: Fix NULL/empty lookup causing potential crash
In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c
can be NULL or an empty string when the TC (Truncated) bit is set in
a DNS response. This allows attackers to cause a denial of service
(application crash) or possibly execute arbitrary code, because those
lookup values lead to incorrect length calculations and incorrect
memcpy operations.
This patch includes a check to make sure loookup value is valid before
using it. This helps avoid unexpected value when the input is empty or
incorrect.
Fixes: CVE-2025-32743
CVE: CVE-2025-32743
Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d90b911f6760959bdf1393c39fe8d1118315490f]
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
src/dnsproxy.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index cf1d36c..334dd00 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -1615,6 +1615,9 @@ static int ns_resolv(struct server_data *server, struct request_data *req,
char *dot, *lookup = (char *) name;
struct cache_entry *entry;
+ if (!lookup || strlen(lookup) == 0)
+ return -EINVAL;
+
entry = cache_check(request, &type, req->protocol);
if (entry) {
int ttl_left = 0;
--
2.40.0

1
meta/recipes-connectivity/connman/connman_1.41.bb
View File

@ -9,6 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://CVE-2022-32293_p2.patch \
file://CVE-2022-32292.patch \
file://CVE-2023-28488.patch \
file://CVE-2025-32743.patch \
"
SRC_URI:append:libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"