git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Praveen Kumar <praveen.kumar@windriver.com>
	Thu, 15 May 2025 06:12:22 +0000 (11:42 +0530)
committer	Steve Sakoman <steve@sakoman.com>
	Thu, 15 May 2025 16:42:55 +0000 (09:42 -0700)
commit	02e046149b1cc5eca5188eec7b4e1a9970b97faf
tree	35e4fdfc0f64c3a70f61f348f861ba48d6732bab	tree \| snapshot
parent	6565ae2b01d6eb1e3a83ed387a5e3b765f85b8cf	commit \| diff

connman :fix CVE-2025-32366

In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen) without a check for whether
the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be
larger than the amount of remaining packet data in the current state
of parsing. Values of stack memory locations may be sent over the
network in a response.

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2025-32366

Upstream-patch:
https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4

Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

meta/recipes-connectivity/connman/connman/CVE-2025-32366.patch	[new file with mode: 0644]	blob
meta/recipes-connectivity/connman/connman_1.42.bb		diff \| blob \| blame \| history