diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-connectivity/connman')
3 files changed, 191 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0003-stats-Fix-bad-file-descriptor-initialisation.patch b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0003-stats-Fix-bad-file-descriptor-initialisation.patch new file mode 100644 index 000000000..c545811ee --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0003-stats-Fix-bad-file-descriptor-initialisation.patch @@ -0,0 +1,102 @@ +From c7f4151fb053b0d0691d8f10d7e3690265d28889 Mon Sep 17 00:00:00 2001 +From: Lukasz Nowak <lnowak@tycoint.com> +Date: Wed, 26 Oct 2016 18:13:02 +0100 +Subject: [PATCH] stats: Fix bad file descriptor initialisation + +Stats file code initialises its file descriptor field to 0. But 0 is +a valid fd value. -1 should be used instead. This causes problems +when an error happens before a stats file is open (e.g. mkdir +fails). The clean-up procedure, stats_free() calls close(fd). When fd +is 0, this first closes stdin, and then any files/sockets which +received fd=0, re-used by the OS. + +Fixed several instances of bad file descriptor field handling, in case +of errors. + +The bug results with connman freezing if there is no read/write storage +directory available, and there are multiple active interfaces +(fd=0 gets re-used for sockets in that case). + +The patch was imported from the Connman git repository +(git://git.kernel.org/pub/scm/network/connman) as of commit id +c7f4151fb053b0d0691d8f10d7e3690265d28889. + +Upstream-Status: Accepted +Signed-off-by: Lukasz Nowak <lnowak@tycoint.com> +--- + src/stats.c | 15 +++++++++++++++ + src/util.c | 4 ++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/stats.c b/src/stats.c +index 26343b1..c3ca738 100644 +--- a/src/stats.c ++++ b/src/stats.c +@@ -378,6 +378,7 @@ static int stats_file_setup(struct stats_file *file) + strerror(errno), file->name); + + TFR(close(file->fd)); ++ file->fd = -1; + g_free(file->name); + file->name = NULL; + +@@ -393,6 +394,7 @@ static int stats_file_setup(struct stats_file *file) + err = stats_file_remap(file, size); + if (err < 0) { + TFR(close(file->fd)); ++ file->fd = -1; + g_free(file->name); + file->name = NULL; + +@@ -649,6 +651,13 @@ static int stats_file_history_update(struct stats_file *data_file) + bzero(history_file, sizeof(struct stats_file)); + bzero(temp_file, sizeof(struct stats_file)); + ++ /* ++ * 0 is a valid file descriptor - fd needs to be initialized ++ * to -1 to handle errors correctly ++ */ ++ history_file->fd = -1; ++ temp_file->fd = -1; ++ + err = stats_open(history_file, data_file->history_name); + if (err < 0) + return err; +@@ -682,6 +691,12 @@ int __connman_stats_service_register(struct connman_service *service) + if (!file) + return -ENOMEM; + ++ /* ++ * 0 is a valid file descriptor - fd needs to be initialized ++ * to -1 to handle errors correctly ++ */ ++ file->fd = -1; ++ + g_hash_table_insert(stats_hash, service, file); + } else { + return -EALREADY; +diff --git a/src/util.c b/src/util.c +index e6532c8..732d451 100644 +--- a/src/util.c ++++ b/src/util.c +@@ -63,7 +63,7 @@ int __connman_util_init(void) + { + int r = 0; + +- if (f > 0) ++ if (f >= 0) + return 0; + + f = open(URANDOM, O_RDONLY); +@@ -86,7 +86,7 @@ int __connman_util_init(void) + + void __connman_util_cleanup(void) + { +- if (f > 0) ++ if (f >= 0) + close(f); + + f = -1; +-- +2.7.4 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch new file mode 100644 index 000000000..45f78f10e --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch @@ -0,0 +1,87 @@ +From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001 +From: Jukka Rissanen <jukka.rissanen@linux.intel.com> +Date: Wed, 9 Aug 2017 10:16:46 +0300 +Subject: dnsproxy: Fix crash on malformed DNS response + +If the response query string is malformed, we might access memory +pass the end of "name" variable in parse_response(). + +CVE: CVE-2017-12865 +Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71] + +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> +--- + src/dnsproxy.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/src/dnsproxy.c b/src/dnsproxy.c +index 38ac5bf..40b4f15 100644 +--- a/src/dnsproxy.c ++++ b/src/dnsproxy.c +@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto) + static int get_name(int counter, + unsigned char *pkt, unsigned char *start, unsigned char *max, + unsigned char *output, int output_max, int *output_len, +- unsigned char **end, char *name, int *name_len) ++ unsigned char **end, char *name, size_t max_name, int *name_len) + { + unsigned char *p; + +@@ -859,7 +859,7 @@ static int get_name(int counter, + + return get_name(counter + 1, pkt, pkt + offset, max, + output, output_max, output_len, end, +- name, name_len); ++ name, max_name, name_len); + } else { + unsigned label_len = *p; + +@@ -869,6 +869,9 @@ static int get_name(int counter, + if (*output_len > output_max) + return -ENOBUFS; + ++ if ((*name_len + 1 + label_len + 1) > max_name) ++ return -ENOBUFS; ++ + /* + * We need the original name in order to check + * if this answer is the correct one. +@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start, + unsigned char *response, unsigned int *response_size, + uint16_t *type, uint16_t *class, int *ttl, int *rdlen, + unsigned char **end, +- char *name) ++ char *name, size_t max_name) + { + struct domain_rr *rr; + int err, offset; + int name_len = 0, output_len = 0, max_rsp = *response_size; + + err = get_name(0, buf, start, max, response, max_rsp, +- &output_len, end, name, &name_len); ++ &output_len, end, name, max_name, &name_len); + if (err < 0) + return err; + +@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen, + memset(rsp, 0, sizeof(rsp)); + + ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len, +- type, class, ttl, &rdlen, &next, name); ++ type, class, ttl, &rdlen, &next, name, ++ sizeof(name) - 1); + if (ret != 0) { + err = ret; + goto out; +@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen, + */ + ret = get_name(0, buf, next - rdlen, buf + buflen, + rsp, rsp_len, &output_len, &end, +- name, &name_len); ++ name, sizeof(name) - 1, &name_len); + if (ret != 0) { + /* just ignore the error at this point */ + ptr = next; +-- +cgit v1.1 + diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb index 6ea1a08dc..d8793ac8b 100644 --- a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb +++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb @@ -5,6 +5,8 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \ file://connman \ file://no-version-scripts.patch \ file://includes.patch \ + file://0003-stats-Fix-bad-file-descriptor-initialisation.patch \ + file://CVE-2017-12865.patch \ " SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch" |