new file mode 100644
@@ -0,0 +1,72 @@
+From eceb2e8d2341c041df55a5e2f047d9a8c491463c Mon Sep 17 00:00:00 2001
+From: Valery Kashcheev <v.kascheev@omp.ru>
+Date: Mon, 7 Jun 2021 18:58:24 +0200
+Subject: dnsproxy: Check the length of buffers before memcpy
+
+Fix using a stack-based buffer overflow attack by checking the length of
+the ptr and uptr buffers.
+
+Fix debug message output.
+
+Fixes: CVE-2021-33833
+
+Upstream-Status: Backport
+https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
+CVE: CVE-2021-33833
+Signed-off-by: Steve Sakoman <steve@sakoman.com>
+
+---
+ src/dnsproxy.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index de52df5a..38dbdd71 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -1788,17 +1788,15 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+ * tmp buffer.
+ */
+
+- debug("pos %d ulen %d left %d name %s", pos, ulen,
+- (int)(uncomp_len - (uptr - uncompressed)), uptr);
+-
+- ulen = strlen(name);
+- if ((uptr + ulen + 1) > uncomp_end) {
++ ulen = strlen(name) + 1;
++ if ((uptr + ulen) > uncomp_end)
+ goto out;
+- }
+- strncpy(uptr, name, uncomp_len - (uptr - uncompressed));
++ strncpy(uptr, name, ulen);
++
++ debug("pos %d ulen %d left %d name %s", pos, ulen,
++ (int)(uncomp_end - (uptr + ulen)), uptr);
+
+ uptr += ulen;
+- *uptr++ = '\0';
+
+ ptr += pos;
+
+@@ -1841,7 +1839,7 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+ } else if (dns_type == ns_t_a || dns_type == ns_t_aaaa) {
+ dlen = uptr[-2] << 8 | uptr[-1];
+
+- if (ptr + dlen > end) {
++ if ((ptr + dlen) > end || (uptr + dlen) > uncomp_end) {
+ debug("data len %d too long", dlen);
+ goto out;
+ }
+@@ -1880,6 +1878,10 @@ static char *uncompress(int16_t field_count, char *start, char *end,
+ * refresh interval, retry interval, expiration
+ * limit and minimum ttl). They are 20 bytes long.
+ */
++ if ((uptr + 20) > uncomp_end || (ptr + 20) > end) {
++ debug("soa record too long");
++ goto out;
++ }
+ memcpy(uptr, ptr, 20);
+ uptr += 20;
+ ptr += 20;
+--
+cgit 1.2.3-1.el7
+
@@ -9,6 +9,7 @@ SRC_URI = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
file://CVE-2021-26675.patch \
file://CVE-2021-26676-0001.patch \
file://CVE-2021-26676-0002.patch \
+ file://CVE-2021-33833.patch \
file://CVE-2022-23096-7.patch \
file://CVE-2022-23098.patch \
"
ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based buffer overflow in uncompress in dnsproxy.c via NAME, RDATA, or RDLENGTH (for A or AAAA). Backport patch from: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c CVE: CVE-2021-33833 Signed-off-by: Steve Sakoman <steve@sakoman.com> --- .../connman/connman/CVE-2021-33833.patch | 72 +++++++++++++++++++ .../connman/connman_1.37.bb | 1 + 2 files changed, 73 insertions(+) create mode 100644 meta/recipes-connectivity/connman/connman/CVE-2021-33833.patch