Vulmon
Hi,
On behalf of my colleague Daniel Wagner, connman maintainer.
CVE-2021-33833
Found by Mike Evdokimov at Digital Security.
The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman.
Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress
function uses a memcpy with insufficient bounds checking, which can overflow
a stack buffer.
Researcher has written a POC, works with stack overflow heuristics and PIE disabled,
so stack overflow protection seems to mitigate it.
attached is 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch by
r.alyautdin () omprussia ru will be used by upstream connman team.
Note that it touches the same function and piece of code as a previous CVE in connman,
the earlier fix was apparently not complete.
Ciao, Marcus