mirror of
https://git.yoctoproject.org/poky
synced 2026-02-11 11:13:04 +01:00
23a8405509
In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response. Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-32366 Upstream-patch: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=8d3be0285f1d4667bfe85dba555c663eb3d704b4 (From OE-Core rev: 1b9156124b4a07e0e3e0ab09e87d654eae6c7b4e) Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>