Send connman mailing list submissions to
connman@lists.01.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
connman-requ...@lists.01.org
You can reach the person managing the list at
connman-ow...@lists.01.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."
Today's Topics:
1. Re: [PATCH] dnsproxy: Fix crash on malformed DNS response
(Vinicius Costa Gomes)
2. ?great stuff for summer (Cliff McDiarmid)
3. [PATCH v2] dnsproxy: Fix crash on malformed DNS response
(Jukka Rissanen)
4. Re: [PATCH] dnsproxy: Fix crash on malformed DNS response
(Jukka Rissanen)
----------------------------------------------------------------------
Message: 1
Date: Tue, 8 Aug 2017 13:27:37 -0700
From: Vinicius Costa Gomes <vcgo...@gmail.com>
To: Jukka Rissanen <jukka.rissa...@linux.intel.com>
Cc: connman@lists.01.org
Subject: Re: [PATCH] dnsproxy: Fix crash on malformed DNS response
Message-ID:
<cam4ayvajfudufemqq0o2+uvdyrn_oh8qojt7ghnmp5y9wd0...@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi Jukka,
On Mon, Aug 7, 2017 at 12:40 AM, Jukka Rissanen
<jukka.rissa...@linux.intel.com> wrote:
> If the response query string is malformed, we might access memory
> pass the end of "name" variable in parse_response().
> ---
> src/dnsproxy.c | 16 ++++++++++------
> 1 file changed, 10 insertions(+), 6 deletions(-)
>
> diff --git a/src/dnsproxy.c b/src/dnsproxy.c
> index 38ac5bf..ce99a57 100644
> --- a/src/dnsproxy.c
> +++ b/src/dnsproxy.c
> @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request,
> int *qtype, int proto)
> static int get_name(int counter,
> unsigned char *pkt, unsigned char *start, unsigned char *max,
> unsigned char *output, int output_max, int *output_len,
> - unsigned char **end, char *name, int *name_len)
> + unsigned char **end, char *name, size_t max_name, int
> *name_len)
> {
> unsigned char *p;
>
> @@ -859,7 +859,7 @@ static int get_name(int counter,
>
> return get_name(counter + 1, pkt, pkt + offset, max,
> output, output_max, output_len, end,
> - name, name_len);
> + name, max_name, name_len);
> } else {
> unsigned label_len = *p;
>
> @@ -869,6 +869,9 @@ static int get_name(int counter,
> if (*output_len > output_max)
> return -ENOBUFS;
>
> + if ((*name_len + 1 + label_len + 1) > max_name)
> + return -ENOBUFS;
> +
> /*
> * We need the original name in order to check
> * if this answer is the correct one.
> @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char
> *start,
> unsigned char *response, unsigned int *response_size,
> uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
> unsigned char **end,
> - char *name)
> + char *name, int max_name)
'max_name' should be a size_t.
The rest looks good.
Cheers,
--
Vinicius
------------------------------
Message: 2
Date: Wed, 9 Aug 2017 02:49:15 -0200
From: "Cliff McDiarmid" <cliffhan...@gardener.com>
To: "connman" <conn...@connman.net>
Subject: ?great stuff for summer
Message-ID: <1428803644.20170809064...@gardener.com>
Content-Type: text/plain; charset="utf-8"
Dear friend!
I found a cool site with some great stuff for summer, I thought it may
be helpful to you too, here is the link https://clck.ru/BanUr
Looking forward, Cliff McDiarmid
From: connman [mailto:conn...@connman.net]
Sent: Tuesday, August 08, 2017 11:49 PM
To: cliffhan...@gardener.com
Subject: I demand more Josephine.
These are the only iems in this price range that I have tried. I have
seen recommendations for Shure SE215 (I think there is a version with a
mic/volume control), which are reported to have slightly more bass emphasis.
You could also try the Hifiman RE-400i which many have said are very neutral
but may be light on bass.
Sent from Mail for Windows 10
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.01.org/pipermail/connman/attachments/20170809/f8e72ed3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: C2B246D55E97E158.jpg
Type: image/jpeg
Size: 8364 bytes
Desc: not available
URL:
<http://lists.01.org/pipermail/connman/attachments/20170809/f8e72ed3/attachment-0001.jpg>
------------------------------
Message: 3
Date: Wed, 9 Aug 2017 10:16:46 +0300
From: Jukka Rissanen <jukka.rissa...@linux.intel.com>
To: connman@lists.01.org
Subject: [PATCH v2] dnsproxy: Fix crash on malformed DNS response
Message-ID: <20170809071646.15721-1-jukka.rissa...@linux.intel.com>
If the response query string is malformed, we might access memory
pass the end of "name" variable in parse_response().
---
v2: changed the max_name type to size_t
src/dnsproxy.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/src/dnsproxy.c b/src/dnsproxy.c
index 38ac5bf..40b4f15 100644
--- a/src/dnsproxy.c
+++ b/src/dnsproxy.c
@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request,
int *qtype, int proto)
static int get_name(int counter,
unsigned char *pkt, unsigned char *start, unsigned char *max,
unsigned char *output, int output_max, int *output_len,
- unsigned char **end, char *name, int *name_len)
+ unsigned char **end, char *name, size_t max_name, int *name_len)
{
unsigned char *p;
@@ -859,7 +859,7 @@ static int get_name(int counter,
return get_name(counter + 1, pkt, pkt + offset, max,
output, output_max, output_len, end,
- name, name_len);
+ name, max_name, name_len);
} else {
unsigned label_len = *p;
@@ -869,6 +869,9 @@ static int get_name(int counter,
if (*output_len > output_max)
return -ENOBUFS;
+ if ((*name_len + 1 + label_len + 1) > max_name)
+ return -ENOBUFS;
+
/*
* We need the original name in order to check
* if this answer is the correct one.
@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char
*start,
unsigned char *response, unsigned int *response_size,
uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
unsigned char **end,
- char *name)
+ char *name, size_t max_name)
{
struct domain_rr *rr;
int err, offset;
int name_len = 0, output_len = 0, max_rsp = *response_size;
err = get_name(0, buf, start, max, response, max_rsp,
- &output_len, end, name, &name_len);
+ &output_len, end, name, max_name, &name_len);
if (err < 0)
return err;
@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
memset(rsp, 0, sizeof(rsp));
ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
- type, class, ttl, &rdlen, &next, name);
+ type, class, ttl, &rdlen, &next, name,
+ sizeof(name) - 1);
if (ret != 0) {
err = ret;
goto out;
@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
*/
ret = get_name(0, buf, next - rdlen, buf + buflen,
rsp, rsp_len, &output_len, &end,
- name, &name_len);
+ name, sizeof(name) - 1, &name_len);
if (ret != 0) {
/* just ignore the error at this point */
ptr = next;
--
2.9.4
------------------------------
Message: 4
Date: Wed, 09 Aug 2017 10:18:06 +0300
From: Jukka Rissanen <jukka.rissa...@linux.intel.com>
To: Vinicius Costa Gomes <vcgo...@gmail.com>
Cc: connman@lists.01.org
Subject: Re: [PATCH] dnsproxy: Fix crash on malformed DNS response
Message-ID: <1502263086.3368.6.ca...@linux.intel.com>
Content-Type: text/plain; charset="UTF-8"
Hi Vinicius,
On Tue, 2017-08-08 at 13:27 -0700, Vinicius Costa Gomes wrote:
> Hi Jukka,
>
> On Mon, Aug 7, 2017 at 12:40 AM, Jukka Rissanen
> <jukka.rissa...@linux.intel.com> wrote:
> > If the response query string is malformed, we might access memory
> > pass the end of "name" variable in parse_response().
> > ---
> > ?src/dnsproxy.c | 16 ++++++++++------
> > ?1 file changed, 10 insertions(+), 6 deletions(-)
> >
> > diff --git a/src/dnsproxy.c b/src/dnsproxy.c
> > index 38ac5bf..ce99a57 100644
> > --- a/src/dnsproxy.c
> > +++ b/src/dnsproxy.c
> > @@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer
> > request, int *qtype, int proto)
> > ?static int get_name(int counter,
> > ????????????????unsigned char *pkt, unsigned char *start, unsigned
> > char *max,
> > ????????????????unsigned char *output, int output_max, int
> > *output_len,
> > -???????????????unsigned char **end, char *name, int *name_len)
> > +???????????????unsigned char **end, char *name, size_t max_name,
> > int *name_len)
> > ?{
> > ????????unsigned char *p;
> >
> > @@ -859,7 +859,7 @@ static int get_name(int counter,
> >
> > ????????????????????????return get_name(counter + 1, pkt, pkt +
> > offset, max,
> > ????????????????????????????????????????output, output_max,
> > output_len, end,
> > -???????????????????????????????????????name, name_len);
> > +???????????????????????????????????????name, max_name, name_len);
> > ????????????????} else {
> > ????????????????????????unsigned label_len = *p;
> >
> > @@ -869,6 +869,9 @@ static int get_name(int counter,
> > ????????????????????????if (*output_len > output_max)
> > ????????????????????????????????return -ENOBUFS;
> >
> > +???????????????????????if ((*name_len + 1 + label_len + 1) >
> > max_name)
> > +???????????????????????????????return -ENOBUFS;
> > +
> > ????????????????????????/*
> > ?????????????????????????* We need the original name in order to
> > check
> > ?????????????????????????* if this answer is the correct one.
> > @@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf,
> > unsigned char *start,
> > ????????????????????????unsigned char *response, unsigned int
> > *response_size,
> > ????????????????????????uint16_t *type, uint16_t *class, int *ttl,
> > int *rdlen,
> > ????????????????????????unsigned char **end,
> > -???????????????????????char *name)
> > +???????????????????????char *name, int max_name)
>
> 'max_name' should be a size_t.
Indeed, good catch :)
>
> The rest looks good.
>
>
Thanks for the review, v2 sent to ml.
Cheers,
Jukka
------------------------------
Subject: Digest Footer
_______________________________________________
connman mailing list
connman@lists.01.org
https://lists.01.org/mailman/listinfo/connman
------------------------------
End of connman Digest, Vol 22, Issue 6
**************************************
