From 8d3be0285f1d4667bfe85dba555c663eb3d704b4 Mon Sep 17 00:00:00 2001
From: Yoonje Shin <ioerts@kookmin.ac.kr>
Date: Mon, 12 May 2025 10:48:18 +0200
Subject: [PATCH] dnsproxy: Address CVE-2025-32366 vulnerability

In Connman parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
than the amount of remaining packet data in the current state of
parsing. As a result, values of stack memory locations may be sent
over the network in a response.

This patch adds a check to ensure that (*end + *rdlen) does not exceed
the valid range. If the condition is violated, the function returns
-EINVAL.

CVE: CVE-2025-32366

Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4]

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
 src/dnsproxy.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index 1a5a4f3..50b2d55 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -985,6 +985,9 @@ static int parse_rr(const unsigned char *buf, const unsigned char *start,
	if ((offset + *rdlen) > *response_size)
		return -ENOBUFS;

+	if ((*end + *rdlen) > max)
+		return -EINVAL;
+
	memcpy(response + offset, *end, *rdlen);

	*end += *rdlen;
--
2.40.0