diff options
Diffstat (limited to 'meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch')
| -rw-r--r-- | meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch b/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch deleted file mode 100644 index 8e2f47a1d5..0000000000 --- a/meta/recipes-connectivity/connman/connman/0001-gdhcp-Verify-and-sanitize-packet-length-first.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 99e2c16ea1cced34a5dc450d76287a1c3e762138 Mon Sep 17 00:00:00 2001 -From: Daniel Wagner <wagi@monom.org> -Date: Tue, 11 Apr 2023 08:12:56 +0200 -Subject: [PATCH] gdhcp: Verify and sanitize packet length first - -Avoid overwriting the read packet length after the initial test. Thus -move all the length checks which depends on the total length first -and do not use the total lenght from the IP packet afterwards. - -Fixes CVE-2023-28488 - -Reported by Polina Smirnova <moe.hwr@gmail.com> - -CVE: CVE-2023-28488 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> - ---- - gdhcp/client.c | 16 +++++++++------- - 1 file changed, 9 insertions(+), 7 deletions(-) - -diff --git a/gdhcp/client.c b/gdhcp/client.c -index 7efa7e45..82017692 100644 ---- a/gdhcp/client.c -+++ b/gdhcp/client.c -@@ -1319,9 +1319,9 @@ static bool sanity_check(struct ip_udp_dhcp_packet *packet, int bytes) - static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, - struct sockaddr_in *dst_addr) - { -- int bytes; - struct ip_udp_dhcp_packet packet; - uint16_t check; -+ int bytes, tot_len; - - memset(&packet, 0, sizeof(packet)); - -@@ -1329,15 +1329,17 @@ static int dhcp_recv_l2_packet(struct dhcp_packet *dhcp_pkt, int fd, - if (bytes < 0) - return -1; - -- if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) -- return -1; -- -- if (bytes < ntohs(packet.ip.tot_len)) -+ tot_len = ntohs(packet.ip.tot_len); -+ if (bytes > tot_len) { -+ /* ignore any extra garbage bytes */ -+ bytes = tot_len; -+ } else if (bytes < tot_len) { - /* packet is bigger than sizeof(packet), we did partial read */ - return -1; -+ } - -- /* ignore any extra garbage bytes */ -- bytes = ntohs(packet.ip.tot_len); -+ if (bytes < (int) (sizeof(packet.ip) + sizeof(packet.udp))) -+ return -1; - - if (!sanity_check(&packet, bytes)) - return -1; --- -2.34.1 - |