In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length that depends on an RR RDLENGTH value, i.e., *rdlen=ntohs(rr->rdlen) and memcpy(response+offset,*end,*rdlen) without a check for whether the sum of *end and *rdlen exceeds max. Consequently, *rdlen may be larger than the amount of remaining packet data in the current state of parsing. Values of stack memory locations may be sent over the network in a response.
An Out-of-Bounds memory read vulnerability has been discovered in the parse_rr function within the dnsproxy.c file of ConnMan's DNS proxy implementation. This vulnerability occurs during the parsing of Resource Records (RR) in DNS response packets.
The vulnerable code uses the data length (rdlength) from DNS response packets without proper validation, allowing an attacker to specify a length value larger than the actual packet size. This results in reading beyond the allocated memory boundaries when ConnMan caches the response and uses it for subsequent DNS requests.
rdlen = ntohs(rr->rdlen); - The function parses the resource record data length from the DNS response.
if ((offset + *rdlen) > *response_size) return -ENOBUFS; - There is a check against the response buffer size, but...
There is no validation that rdlen is within the bounds of the actual remaining packet data (the distance between end and max).
memcpy(response + offset, *end, *rdlen); - The function copies rdlen bytes without verifying if that many bytes actually exist in the packet.