c-ares: CVE-2023-32067 0-byte UDP payload Denial of Service

Upstream-Status: Backport from https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Vijay Anusuri <vanusuri@mvista.com> 2023-07-18 08:22:21 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-07-22 07:49:35 -0400
commit: 3c62000f88c7a81646f7dfe8a8d9ac145a8b9af5 (patch)
tree: c5e53a6cd02fa8bbec08c920f2b4c930ce9fe700
parent: b8b0b06821d4d4df0cce4f07fa31a8ca1dd38f46 (diff)
download: meta-openembedded-3c62000f88c7a81646f7dfe8a8d9ac145a8b9af5.tar.gz
2 files changed, 85 insertions, 0 deletions
diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch
new file mode 100644
index 0000000000..63192d3c81
--- /dev/null
+++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch
@@ -0,0 +1,84 @@
+From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
+From: Brad House <brad@brad-house.com>
+Date: Mon, 22 May 2023 06:51:49 -0400
+Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
+Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
+Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae]
+CVE: CVE-2023-32067
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ src/lib/ares_process.c | 41 +++++++++++++++++++++++++----------------
+ 1 file changed, 25 insertions(+), 16 deletions(-)
+diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
+index bf0cde464..6cac0a99f 100644
+--- a/src/lib/ares_process.c
+++ b/src/lib/ares_process.c
+@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+ {
+   struct server_state *server;
+   int i;
+-  ares_ssize_t count;
+  ares_ssize_t read_len;
+   unsigned char buf[MAXENDSSZ + 1];
+ #ifdef HAVE_RECVFROM
+   ares_socklen_t fromlen;
+@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
+       /* To reduce event loop overhead, read and process as many
+        * packets as we can. */
+       do {
+-        if (server->udp_socket == ARES_SOCKET_BAD)
+-          count = 0;
+-
+-        else {
+-          if (server->addr.family == AF_INET)
+        if (server->udp_socket == ARES_SOCKET_BAD) {
+          read_len = -1;
+        } else {
+          if (server->addr.family == AF_INET) {
+             fromlen = sizeof(from.sa4);
+-          else
+          } else {
+             fromlen = sizeof(from.sa6);
+-          count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+-                                  sizeof(buf), 0, &from.sa, &fromlen);
+          }
+          read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
+                                     sizeof(buf), 0, &from.sa, &fromlen);
+         }
+ 
+-        if (count == -1 && try_again(SOCKERRNO))
+        if (read_len == 0) {
+          /* UDP is connectionless, so result code of 0 is a 0-length UDP
+           * packet, and not an indication the connection is closed like on
+           * tcp */
+           continue;
+-        else if (count <= 0)
+        } else if (read_len < 0) {
+          if (try_again(SOCKERRNO))
+            continue;
+
+           handle_error(channel, i, now);
+
+ #ifdef HAVE_RECVFROM
+-        else if (!same_address(&from.sa, &server->addr))
+        } else if (!same_address(&from.sa, &server->addr)) {
+           /* The address the response comes from does not match the address we
+            * sent the request to. Someone may be attempting to perform a cache
+            * poisoning attack. */
+-          break;
+          continue;
+ #endif
+-        else
+-          process_answer(channel, buf, (int)count, i, 0, now);
+-       } while (count > 0);
+
+        } else {
+          process_answer(channel, buf, (int)read_len, i, 0, now);
+        }
+      } while (read_len >= 0);
+     }
+ }
+ 
diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
index 152d913325..2aa7897608 100644
--- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
+++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
           file://CVE-2022-4904.patch \
           file://CVE-2023-31130.patch \
           file://CVE-2023-31147.patch \
+           file://CVE-2023-32067.patch \
          "
 SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
author	Vijay Anusuri <vanusuri@mvista.com>	2023-07-18 08:22:21 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-07-22 07:49:35 -0400
commit	3c62000f88c7a81646f7dfe8a8d9ac145a8b9af5 (patch)
tree	c5e53a6cd02fa8bbec08c920f2b4c930ce9fe700
parent	b8b0b06821d4d4df0cce4f07fa31a8ca1dd38f46 (diff)
download	meta-openembedded-3c62000f88c7a81646f7dfe8a8d9ac145a8b9af5.tar.gz

diff --git a/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch new file mode 100644 index 0000000000..63192d3c81 --- /dev/null +++ b/meta-oe/recipes-support/c-ares/c-ares/CVE-2023-32067.patch
@@ -0,0 +1,84 @@
		1	From b9b8413cfdb70a3f99e1573333b23052d57ec1ae Mon Sep 17 00:00:00 2001
		2	From: Brad House <brad@brad-house.com>
		3	Date: Mon, 22 May 2023 06:51:49 -0400
		4	Subject: [PATCH] Merge pull request from GHSA-9g78-jv2r-p7vc
		5
		6	Link: https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
		7
		8	Upstream-Status: Backport [https://github.com/c-ares/c-ares/commit/b9b8413cfdb70a3f99e1573333b23052d57ec1ae]
		9	CVE: CVE-2023-32067
		10	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		11	---
		12	src/lib/ares_process.c \| 41 +++++++++++++++++++++++++----------------
		13	1 file changed, 25 insertions(+), 16 deletions(-)
		14
		15	diff --git a/src/lib/ares_process.c b/src/lib/ares_process.c
		16	index bf0cde464..6cac0a99f 100644
		17	--- a/src/lib/ares_process.c
		18	+++ b/src/lib/ares_process.c
		19	@@ -470,7 +470,7 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
		20	{
		21	struct server_state *server;
		22	int i;
		23	- ares_ssize_t count;
		24	+ ares_ssize_t read_len;
		25	unsigned char buf[MAXENDSSZ + 1];
		26	#ifdef HAVE_RECVFROM
		27	ares_socklen_t fromlen;
		28	@@ -513,32 +513,41 @@ static void read_udp_packets(ares_channel channel, fd_set *read_fds,
		29	/* To reduce event loop overhead, read and process as many
		30	* packets as we can. */
		31	do {
		32	- if (server->udp_socket == ARES_SOCKET_BAD)
		33	- count = 0;
		34	-
		35	- else {
		36	- if (server->addr.family == AF_INET)
		37	+ if (server->udp_socket == ARES_SOCKET_BAD) {
		38	+ read_len = -1;
		39	+ } else {
		40	+ if (server->addr.family == AF_INET) {
		41	fromlen = sizeof(from.sa4);
		42	- else
		43	+ } else {
		44	fromlen = sizeof(from.sa6);
		45	- count = socket_recvfrom(channel, server->udp_socket, (void *)buf,
		46	- sizeof(buf), 0, &from.sa, &fromlen);
		47	+ }
		48	+ read_len = socket_recvfrom(channel, server->udp_socket, (void *)buf,
		49	+ sizeof(buf), 0, &from.sa, &fromlen);
		50	}
		51
		52	- if (count == -1 && try_again(SOCKERRNO))
		53	+ if (read_len == 0) {
		54	+ /* UDP is connectionless, so result code of 0 is a 0-length UDP
		55	+ * packet, and not an indication the connection is closed like on
		56	+ * tcp */
		57	continue;
		58	- else if (count <= 0)
		59	+ } else if (read_len < 0) {
		60	+ if (try_again(SOCKERRNO))
		61	+ continue;
		62	+
		63	handle_error(channel, i, now);
		64	+
		65	#ifdef HAVE_RECVFROM
		66	- else if (!same_address(&from.sa, &server->addr))
		67	+ } else if (!same_address(&from.sa, &server->addr)) {
		68	/* The address the response comes from does not match the address we
		69	* sent the request to. Someone may be attempting to perform a cache
		70	* poisoning attack. */
		71	- break;
		72	+ continue;
		73	#endif
		74	- else
		75	- process_answer(channel, buf, (int)count, i, 0, now);
		76	- } while (count > 0);
		77	+
		78	+ } else {
		79	+ process_answer(channel, buf, (int)read_len, i, 0, now);
		80	+ }
		81	+ } while (read_len >= 0);
		82	}
		83	}
		84


diff --git a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb index 152d913325..2aa7897608 100644 --- a/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb +++ b/meta-oe/recipes-support/c-ares/c-ares_1.18.1.bb
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/c-ares/c-ares.git;branch=main;protocol=https \
9	file://CVE-2022-4904.patch \	9	file://CVE-2022-4904.patch \
10	file://CVE-2023-31130.patch \	10	file://CVE-2023-31130.patch \
11	file://CVE-2023-31147.patch \	11	file://CVE-2023-31147.patch \
		12	file://CVE-2023-32067.patch \
12	"	13	"
13	SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"	14	SRCREV = "2aa086f822aad5017a6f2061ef656f237a62d0ed"
14		15