<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
connman stack buffer overflow in dnsproxy CVE-2021-33833
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Marcus Meissner <meissner () suse de>
Date: Wed, 9 Jun 2021 10:19:09 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
On behalf of my colleague Daniel Wagner, connman maintainer.
CVE-2021-33833
Found by Mike Evdokimov at Digital Security.
The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman.
Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress
function uses a memcpy with insufficient bounds checking, which can overflow
a stack buffer.
Researcher has written a POC, works with stack overflow heuristics and PIE disabled,
so stack overflow protection seems to mitigate it.
attached is 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch by
r.alyautdin () omprussia ru will be used by upstream connman team.
Note that it touches the same function and piece of code as a previous CVE in connman,
the earlier fix was apparently not complete.
Ciao, Marcus
Attachment:
0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
connman stack buffer overflow in dnsproxy CVE-2021-33833 Marcus Meissner (Jun 09)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->