Fix CVE-2021-33833: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33833 Patch copied from upstream source repository: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001 From: Valery Kashcheev Date: Mon, 7 Jun 2021 18:58:24 +0200 Subject: [PATCH] dnsproxy: Check the length of buffers before memcpy Fix using a stack-based buffer overflow attack by checking the length of the ptr and uptr buffers. Fix debug message output. Fixes: CVE-2021-33833 --- src/dnsproxy.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/src/dnsproxy.c b/src/dnsproxy.c index de52df5a..38dbdd71 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end, * tmp buffer. */ - debug("pos %d ulen %d left %d name %s", pos, ulen, - (int)(uncomp_len - (uptr - uncompressed)), uptr); - - ulen = strlen(name); - if ((uptr + ulen + 1) > uncomp_end) { + ulen = strlen(name) + 1; + if ((uptr + ulen) > uncomp_end) goto out; - } - strncpy(uptr, name, uncomp_len - (uptr - uncompressed)); + strncpy(uptr, name, ulen); + + debug("pos %d ulen %d left %d name %s", pos, ulen, + (int)(uncomp_end - (uptr + ulen)), uptr); uptr += ulen; - *uptr++ = '\0'; ptr += pos; @@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end, } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) { dlen = uptr[-2] << 8 | uptr[-1]; - if (ptr + dlen > end) { + if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) { debug("data len %d too long", dlen); goto out; } @@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end, * refresh interval, retry interval, expiration * limit and minimum ttl). They are 20 bytes long. */ + if ((uptr + 20) > uncomp_end || (ptr + 20) > end) { + debug("soa record too long"); + goto out; + } memcpy(uptr, ptr, 20); uptr += 20; ptr += 20; -- 2.32.0