Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
dnsproxy: Check the length of buffers before memcpy
Fix using a stack-based buffer overflow attack by checking the length of
the ptr and uptr buffers.

Fix debug message output.

Fixes: CVE-2021-33833
  • Loading branch information
GIDMYRT authored and LaakkonenJussi committed Jun 9, 2021
1 parent 321618d commit 137f524
Showing 1 changed file with 9 additions and 7 deletions.
16 changes: 9 additions & 7 deletions connman/src/dnsproxy.c
Expand Up @@ -1786,17 +1786,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* tmp buffer.
*/

ulen = strlen(name);
if ((uptr + ulen + 1) > uncomp_end) {
ulen = strlen(name) + 1;
if ((uptr + ulen) > uncomp_end)
goto out;
}
strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
strncpy(uptr, name, ulen);

DBG("pos %d ulen %d left %d name %s", pos, ulen,
(int)(uncomp_len - (uptr - uncompressed)), uptr);
(int)(uncomp_end - (uptr + ulen)), uptr);

uptr += ulen;
*uptr++ = '\0';

ptr += pos;

Expand Down Expand Up @@ -1839,7 +1837,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
} else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
dlen = uptr[-2] << 8 | uptr[-1];

if (ptr + dlen > end) {
if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
DBG("data len %d too long", dlen);
goto out;
}
Expand Down Expand Up @@ -1878,6 +1876,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
* refresh interval, retry interval, expiration
* limit and minimum ttl). They are 20 bytes long.
*/
if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
DBG("soa record too long");
goto out;
}
memcpy(uptr, ptr, 20);
uptr += 20;
ptr += 20;
Expand Down

0 comments on commit 137f524

Please sign in to comment.