Commit a8cfe998 authored May 13, 2025 by Dario Binacchi Committed by Peter Korsgaard May 13, 2025

package/connman: fix CVE-2025-32366

In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length
that depends on an RR RDLENGTH value (i.e., *rdlen=ntohs(rr->rdlen)
and memcpy(response+offset,*end,*rdlen)). Here, rdlen may be larger
than the amount of remaining packet data in the current state of
parsing. As a result, values of stack memory locations may be sent
over the network in a response.

Fixes:
https://www.cve.org/CVERecord?id=CVE-2025-32366



Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

parent 915a351e

Show whitespace changes

Inline Side-by-side

arnout @arnout
mentioned in commit 6efa33da
· May 31, 2025

mentioned in commit 6efa33da

mentioned in commit 6efa33dac1c081eb7e542469c94add1b9d916136

Toggle commit list

Please register or to comment