From 380b6fb2583f875aad0cb28c91b1531e63eb2eeb Mon Sep 17 00:00:00 2001 From: Chee Yang Lee Date: Tue, 13 Sep 2022 11:47:37 +0800 Subject: connman: fix CVE-2022-32292 Signed-off-by: Chee Yang Lee Signed-off-by: Steve Sakoman --- .../connman/connman/CVE-2022-32292.patch | 37 ++++++++++++++++++++++ meta/recipes-connectivity/connman/connman_1.37.bb | 1 + 2 files changed, 38 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch diff --git a/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch new file mode 100644 index 0000000000..74a739d6a2 --- /dev/null +++ b/meta/recipes-connectivity/connman/connman/CVE-2022-32292.patch @@ -0,0 +1,37 @@ +From d1a5ede5d255bde8ef707f8441b997563b9312bd Mon Sep 17 00:00:00 2001 +From: Nathan Crandall +Date: Tue, 12 Jul 2022 08:56:34 +0200 +Subject: gweb: Fix OOB write in received_data() + +There is a mismatch of handling binary vs. C-string data with memchr +and strlen, resulting in pos, count, and bytes_read to become out of +sync and result in a heap overflow. Instead, do not treat the buffer +as an ASCII C-string. We calculate the count based on the return value +of memchr, instead of strlen. + +Fixes: CVE-2022-32292 + +Upstream-Status: Backport +https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=d1a5ede5d255bde8ef707f8441b997563b9312b +CVE: CVE-2022-32292 +Signed-off-by: Lee Chee Yang +--- + gweb/gweb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gweb/gweb.c b/gweb/gweb.c +index 12fcb1d8..13c6c5f2 100644 +--- a/gweb/gweb.c ++++ b/gweb/gweb.c +@@ -918,7 +918,7 @@ static gboolean received_data(GIOChannel *channel, GIOCondition cond, + } + + *pos = '\0'; +- count = strlen((char *) ptr); ++ count = pos - ptr; + if (count > 0 && ptr[count - 1] == '\r') { + ptr[--count] = '\0'; + bytes_read--; +-- +cgit + diff --git a/meta/recipes-connectivity/connman/connman_1.37.bb b/meta/recipes-connectivity/connman/connman_1.37.bb index bdd1e590ec..4f22c7ad49 100644 --- a/meta/recipes-connectivity/connman/connman_1.37.bb +++ b/meta/recipes-connectivity/connman/connman_1.37.bb @@ -12,6 +12,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://CVE-2021-33833.patch \ file://CVE-2022-23096-7.patch \ file://CVE-2022-23098.patch \ + file://CVE-2022-32292.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" -- cgit 1.2.3-korg