[gnome-continuous-yocto/gnomeostree-3.28-rocko: 7318/8267] connman: Fix for CVE-2017-12865

[Emmanuele Bassi <ebassi src gnome org>]

commit 9086b525dd00f482ea68a384540cd30778413c9e
Author: Sona Sarmadi <sona sarmadi enea com>
Date:   Mon Aug 21 14:05:34 2017 +0200

    connman: Fix for CVE-2017-12865
    
    dnsproxy: Fix crash on malformed DNS response
    If the response query string is malformed, we might access memory
    pass the end of "name" variable in parse_response().
    
    [YOCTO #11959]
    
    (From OE-Core rev: fb3e30e45eea2042fdb0b667cbc2c79ae3f5a1a9)
    
    Signed-off-by: Sona Sarmadi <sona sarmadi enea com>
    Signed-off-by: Richard Purdie <richard purdie linuxfoundation org>

 .../connman/connman/CVE-2017-12865.patch           |   87 ++++++++++++++++++++
 meta/recipes-connectivity/connman/connman_1.34.bb  |    1 +
 2 files changed, 88 insertions(+), 0 deletions(-)
---
diff --git a/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch 
b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 0000000..45f78f1
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka rissanen linux intel com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona sarmadi enea com>
+---
+ src/dnsproxy.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto)
+ static int get_name(int counter,
+               unsigned char *pkt, unsigned char *start, unsigned char *max,
+               unsigned char *output, int output_max, int *output_len,
+-              unsigned char **end, char *name, int *name_len)
++              unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+       unsigned char *p;
+ 
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+ 
+                       return get_name(counter + 1, pkt, pkt + offset, max,
+                                       output, output_max, output_len, end,
+-                                      name, name_len);
++                                      name, max_name, name_len);
+               } else {
+                       unsigned label_len = *p;
+ 
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+                       if (*output_len > output_max)
+                               return -ENOBUFS;
+ 
++                      if ((*name_len + 1 + label_len + 1) > max_name)
++                              return -ENOBUFS;
++
+                       /*
+                        * We need the original name in order to check
+                        * if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+                       unsigned char *response, unsigned int *response_size,
+                       uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+                       unsigned char **end,
+-                      char *name)
++                      char *name, size_t max_name)
+ {
+       struct domain_rr *rr;
+       int err, offset;
+       int name_len = 0, output_len = 0, max_rsp = *response_size;
+ 
+       err = get_name(0, buf, start, max, response, max_rsp,
+-              &output_len, end, name, &name_len);
++                      &output_len, end, name, max_name, &name_len);
+       if (err < 0)
+               return err;
+ 
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+               memset(rsp, 0, sizeof(rsp));
+ 
+               ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
+-                      type, class, ttl, &rdlen, &next, name);
++                      type, class, ttl, &rdlen, &next, name,
++                      sizeof(name) - 1);
+               if (ret != 0) {
+                       err = ret;
+                       goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+                        */
+                       ret = get_name(0, buf, next - rdlen, buf + buflen,
+                                       rsp, rsp_len, &output_len, &end,
+-                                      name, &name_len);
++                                      name, sizeof(name) - 1, &name_len);
+                       if (ret != 0) {
+                               /* just ignore the error at this point */
+                               ptr = next;
+-- 
+cgit v1.1
+
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb 
b/meta/recipes-connectivity/connman/connman_1.34.bb
index 868f940..dc2c688 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -7,6 +7,7 @@ SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://connman \
             file://no-version-scripts.patch \
             file://includes.patch \
+            file://CVE-2017-12865.patch \
             "
 SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch \
                              "