Send connman mailing list submissions to connman@lists.01.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.01.org/mailman/listinfo/connman or, via email, send a message with subject or body 'help' to connman-requ...@lists.01.org
You can reach the person managing the list at connman-ow...@lists.01.org When replying, please edit your Subject line so it is more specific than "Re: Contents of connman digest..." Today's Topics: 1. Re: [PATCH] dnsproxy: Fix crash on malformed DNS response (Vinicius Costa Gomes) 2. ?great stuff for summer (Cliff McDiarmid) 3. [PATCH v2] dnsproxy: Fix crash on malformed DNS response (Jukka Rissanen) 4. Re: [PATCH] dnsproxy: Fix crash on malformed DNS response (Jukka Rissanen) ---------------------------------------------------------------------- Message: 1 Date: Tue, 8 Aug 2017 13:27:37 -0700 From: Vinicius Costa Gomes <vcgo...@gmail.com> To: Jukka Rissanen <jukka.rissa...@linux.intel.com> Cc: connman@lists.01.org Subject: Re: [PATCH] dnsproxy: Fix crash on malformed DNS response Message-ID: <cam4ayvajfudufemqq0o2+uvdyrn_oh8qojt7ghnmp5y9wd0...@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Hi Jukka, On Mon, Aug 7, 2017 at 12:40 AM, Jukka Rissanen <jukka.rissa...@linux.intel.com> wrote: > If the response query string is malformed, we might access memory > pass the end of "name" variable in parse_response(). > --- > src/dnsproxy.c | 16 ++++++++++------ > 1 file changed, 10 insertions(+), 6 deletions(-) > > diff --git a/src/dnsproxy.c b/src/dnsproxy.c > index 38ac5bf..ce99a57 100644 > --- a/src/dnsproxy.c > +++ b/src/dnsproxy.c > @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, > int *qtype, int proto) > static int get_name(int counter, > unsigned char *pkt, unsigned char *start, unsigned char *max, > unsigned char *output, int output_max, int *output_len, > - unsigned char **end, char *name, int *name_len) > + unsigned char **end, char *name, size_t max_name, int > *name_len) > { > unsigned char *p; > > @@ -859,7 +859,7 @@ static int get_name(int counter, > > return get_name(counter + 1, pkt, pkt + offset, max, > output, output_max, output_len, end, > - name, name_len); > + name, max_name, name_len); > } else { > unsigned label_len = *p; > > @@ -869,6 +869,9 @@ static int get_name(int counter, > if (*output_len > output_max) > return -ENOBUFS; > > + if ((*name_len + 1 + label_len + 1) > max_name) > + return -ENOBUFS; > + > /* > * We need the original name in order to check > * if this answer is the correct one. > @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char > *start, > unsigned char *response, unsigned int *response_size, > uint16_t *type, uint16_t *class, int *ttl, int *rdlen, > unsigned char **end, > - char *name) > + char *name, int max_name) 'max_name' should be a size_t. The rest looks good. Cheers, -- Vinicius ------------------------------ Message: 2 Date: Wed, 9 Aug 2017 02:49:15 -0200 From: "Cliff McDiarmid" <cliffhan...@gardener.com> To: "connman" <conn...@connman.net> Subject: ?great stuff for summer Message-ID: <1428803644.20170809064...@gardener.com> Content-Type: text/plain; charset="utf-8" Dear friend! I found a cool site with some great stuff for summer, I thought it may be helpful to you too, here is the link https://clck.ru/BanUr Looking forward, Cliff McDiarmid From: connman [mailto:conn...@connman.net] Sent: Tuesday, August 08, 2017 11:49 PM To: cliffhan...@gardener.com Subject: I demand more Josephine. These are the only iems in this price range that I have tried. I have seen recommendations for Shure SE215 (I think there is a version with a mic/volume control), which are reported to have slightly more bass emphasis. You could also try the Hifiman RE-400i which many have said are very neutral but may be light on bass. Sent from Mail for Windows 10 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.01.org/pipermail/connman/attachments/20170809/f8e72ed3/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: C2B246D55E97E158.jpg Type: image/jpeg Size: 8364 bytes Desc: not available URL: <http://lists.01.org/pipermail/connman/attachments/20170809/f8e72ed3/attachment-0001.jpg> ------------------------------ Message: 3 Date: Wed, 9 Aug 2017 10:16:46 +0300 From: Jukka Rissanen <jukka.rissa...@linux.intel.com> To: connman@lists.01.org Subject: [PATCH v2] dnsproxy: Fix crash on malformed DNS response Message-ID: <20170809071646.15721-1-jukka.rissa...@linux.intel.com> If the response query string is malformed, we might access memory pass the end of "name" variable in parse_response(). --- v2: changed the max_name type to size_t src/dnsproxy.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/dnsproxy.c b/src/dnsproxy.c index 38ac5bf..40b4f15 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto) static int get_name(int counter, unsigned char *pkt, unsigned char *start, unsigned char *max, unsigned char *output, int output_max, int *output_len, - unsigned char **end, char *name, int *name_len) + unsigned char **end, char *name, size_t max_name, int *name_len) { unsigned char *p; @@ -859,7 +859,7 @@ static int get_name(int counter, return get_name(counter + 1, pkt, pkt + offset, max, output, output_max, output_len, end, - name, name_len); + name, max_name, name_len); } else { unsigned label_len = *p; @@ -869,6 +869,9 @@ static int get_name(int counter, if (*output_len > output_max) return -ENOBUFS; + if ((*name_len + 1 + label_len + 1) > max_name) + return -ENOBUFS; + /* * We need the original name in order to check * if this answer is the correct one. @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start, unsigned char *response, unsigned int *response_size, uint16_t *type, uint16_t *class, int *ttl, int *rdlen, unsigned char **end, - char *name) + char *name, size_t max_name) { struct domain_rr *rr; int err, offset; int name_len = 0, output_len = 0, max_rsp = *response_size; err = get_name(0, buf, start, max, response, max_rsp, - &output_len, end, name, &name_len); + &output_len, end, name, max_name, &name_len); if (err < 0) return err; @@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen, memset(rsp, 0, sizeof(rsp)); ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len, - type, class, ttl, &rdlen, &next, name); + type, class, ttl, &rdlen, &next, name, + sizeof(name) - 1); if (ret != 0) { err = ret; goto out; @@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen, */ ret = get_name(0, buf, next - rdlen, buf + buflen, rsp, rsp_len, &output_len, &end, - name, &name_len); + name, sizeof(name) - 1, &name_len); if (ret != 0) { /* just ignore the error at this point */ ptr = next; -- 2.9.4 ------------------------------ Message: 4 Date: Wed, 09 Aug 2017 10:18:06 +0300 From: Jukka Rissanen <jukka.rissa...@linux.intel.com> To: Vinicius Costa Gomes <vcgo...@gmail.com> Cc: connman@lists.01.org Subject: Re: [PATCH] dnsproxy: Fix crash on malformed DNS response Message-ID: <1502263086.3368.6.ca...@linux.intel.com> Content-Type: text/plain; charset="UTF-8" Hi Vinicius, On Tue, 2017-08-08 at 13:27 -0700, Vinicius Costa Gomes wrote: > Hi Jukka, > > On Mon, Aug 7, 2017 at 12:40 AM, Jukka Rissanen > <jukka.rissa...@linux.intel.com> wrote: > > If the response query string is malformed, we might access memory > > pass the end of "name" variable in parse_response(). > > --- > > ?src/dnsproxy.c | 16 ++++++++++------ > > ?1 file changed, 10 insertions(+), 6 deletions(-) > > > > diff --git a/src/dnsproxy.c b/src/dnsproxy.c > > index 38ac5bf..ce99a57 100644 > > --- a/src/dnsproxy.c > > +++ b/src/dnsproxy.c > > @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer > > request, int *qtype, int proto) > > ?static int get_name(int counter, > > ????????????????unsigned char *pkt, unsigned char *start, unsigned > > char *max, > > ????????????????unsigned char *output, int output_max, int > > *output_len, > > -???????????????unsigned char **end, char *name, int *name_len) > > +???????????????unsigned char **end, char *name, size_t max_name, > > int *name_len) > > ?{ > > ????????unsigned char *p; > > > > @@ -859,7 +859,7 @@ static int get_name(int counter, > > > > ????????????????????????return get_name(counter + 1, pkt, pkt + > > offset, max, > > ????????????????????????????????????????output, output_max, > > output_len, end, > > -???????????????????????????????????????name, name_len); > > +???????????????????????????????????????name, max_name, name_len); > > ????????????????} else { > > ????????????????????????unsigned label_len = *p; > > > > @@ -869,6 +869,9 @@ static int get_name(int counter, > > ????????????????????????if (*output_len > output_max) > > ????????????????????????????????return -ENOBUFS; > > > > +???????????????????????if ((*name_len + 1 + label_len + 1) > > > max_name) > > +???????????????????????????????return -ENOBUFS; > > + > > ????????????????????????/* > > ?????????????????????????* We need the original name in order to > > check > > ?????????????????????????* if this answer is the correct one. > > @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, > > unsigned char *start, > > ????????????????????????unsigned char *response, unsigned int > > *response_size, > > ????????????????????????uint16_t *type, uint16_t *class, int *ttl, > > int *rdlen, > > ????????????????????????unsigned char **end, > > -???????????????????????char *name) > > +???????????????????????char *name, int max_name) > > 'max_name' should be a size_t. Indeed, good catch :) > > The rest looks good. > > Thanks for the review, v2 sent to ml. Cheers, Jukka ------------------------------ Subject: Digest Footer _______________________________________________ connman mailing list connman@lists.01.org https://lists.01.org/mailman/listinfo/connman ------------------------------ End of connman Digest, Vol 22, Issue 6 **************************************