connman stack buffer overflow in dnsproxy CVE-2021-33833

[Marcus Meissner <meissner () suse de>]

Hi,

On behalf of my colleague Daniel Wagner, connman maintainer.

CVE-2021-33833

Found by Mike Evdokimov at Digital Security.

The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman.

Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress
function uses a memcpy with insufficient bounds checking, which can overflow
a stack buffer.

Researcher has written a POC, works with stack overflow heuristics and PIE disabled,
so stack overflow protection seems to mitigate it.

attached is 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch by
r.alyautdin () omprussia ru will be used by upstream connman team.

Note that it touches the same function and piece of code as a previous CVE in connman,
the earlier fix was apparently not complete.

Ciao, Marcus

Attachment: 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch
Description: