oss-sec mailing list archives
connman stack buffer overflow in dnsproxy CVE-2021-33833
From: Marcus Meissner <meissner () suse de>
Date: Wed, 9 Jun 2021 10:19:09 +0200
Hi, On behalf of my colleague Daniel Wagner, connman maintainer. CVE-2021-33833 Found by Mike Evdokimov at Digital Security. The issue affects the dnsproxy component in releases 1.32 to 1.39 of connman. Unpacking of NAME and RDATA/RDLENGTH fields with TYPE A/AAAA in the uncompress function uses a memcpy with insufficient bounds checking, which can overflow a stack buffer. Researcher has written a POC, works with stack overflow heuristics and PIE disabled, so stack overflow protection seems to mitigate it. attached is 0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch by r.alyautdin () omprussia ru will be used by upstream connman team. Note that it touches the same function and piece of code as a previous CVE in connman, the earlier fix was apparently not complete. Ciao, Marcus
Attachment:
0001-dnsproxy-Check-the-length-of-buffers-before-memcpy.patch
Description:
Current thread:
- connman stack buffer overflow in dnsproxy CVE-2021-33833 Marcus Meissner (Jun 09)