From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001 From: Yoonje Shin Date: Mon, 12 May 2025 10:48:18 +0200 Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability In Connman parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger than the amount of remaining packet data in the current state of parsing. As a result, values of stack memory locations may be sent over the network in a response. This patch adds a check to ensure that (*end + *rdlen) does not exceed the valid range. If the condition is violated, the function returns -EINVAL. CVE: CVE-2025-32366 Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4] Signed-off-by: Praveen Kumar --- src/dnsproxy.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/dnsproxy.c b/src/dnsproxy.c index 1a5a4f3..50b2d55 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -985,6 +985,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start, if ((offset + *rdlen) > *response_size) return -ENOBUFS; + if ((*end + *rdlen) > max) + return -EINVAL; + memcpy(response + offset, *end, *rdlen); *end += *rdlen; -- 2.40.0