Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20210609081909.GH25582@suse.de>
Date: Wed, 9 Jun 2021 10:19:09 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: connman stack buffer overflow in dnsproxy CVE-2021-33833

Hi,

On behalf of my colleague Daniel Wagner, connman maintainer.

CVE-2021-33833

Found by Mike Evdokimov at Digital Security.

The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman.

Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress
function uses a memcpy with insufficient bounds checking, which can overflow
a stack buffer.

Researcher has written a POC, works with stack overflow heuristics and PIE disabled,
so stack overflow protection seems to mitigate it.

attached is 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch by
r.alyautdin@...russia.ru will be used by upstream connman team.

Note that it touches the same function and piece of code as a previous CVE in connman,
the earlier fix was apparently not complete.

Ciao, Marcus

View attachment "0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch" of type "text/x-patch" (1802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.