Re: [oe][meta-networking][scarthgap][PATCH 1/2] tcpreplay: fix CVE-2025-51006

Wed, 14 Jan 2026 22:01:07 -0800 

Hi,

It appears that this patch was missed on scarthgap.
The original author had already sent an earlier version of this patch before this one. It may have been due to missing branch information. Two minutes later, they replied “Kindly ignore this patch” to both of the original patches (CVE-2025-51006 and CVE-2025-9157), and then resent this revised version.
What is odd is that the patch for CVE-2025-9157 was correctly merged into scarthgap, while CVE-2025-51006 appears to have been missed.
Could anyone please help confirm this issue and merge the patch for CVE-2025-51006? 

Thanks,

Liyin

On 9/25/2025 5:19 PM, Polampalli, Archana via lists.openembedded.org wrote:

From: Archana Polampalli <[email protected]>

Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly invokes
the cleanup routine multiple times on the same memory region. By supplying a
specifically crafted pcap file to the tcprewrite binary, a local attacker can
exploit this flaw to cause a Denial of Service (DoS) via memory corruption.

Signed-off-by: Archana Polampalli <[email protected]>
---
  .../tcpreplay/tcpreplay/CVE-2025-51006.patch  | 97 +++++++++++++++++++
  .../tcpreplay/tcpreplay_4.4.4.bb              |  1 +
  2 files changed, 98 insertions(+)
  create mode 100644 
meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch

diff --git 
a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch 
b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
new file mode 100644
index 0000000000..a55ac8c314
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
@@ -0,0 +1,97 @@
+From 868db118535a646a8a48c957f1e6367069be1aa7 Mon Sep 17 00:00:00 2001
+From: Fred Klassen <[email protected]>
+Date: Wed, 9 Jul 2025 21:01:12 -0700
+Subject: [PATCH] Bug #902 juniper: added safeguards Protect against invalid or
+ unsupported Juniper packets.
+
+Notes:
+
+- only Ethernet packets are currently supported
+- was unable to recreate the original bug, but areas where hardening was 
required
+
+CVE: CVE-2025-51006
+
+Upstream-Status: Backport 
[https://github.com/appneta/tcpreplay/commit/868db118535a646a8a48c957f1e6367069be1aa7]
+
+Signed-off-by: Archana Polampalli <[email protected]>
+---
+ .../plugins/dlt_jnpr_ether/jnpr_ether.c       | 33 +++++++++++++++++--
+ .../plugins/dlt_jnpr_ether/jnpr_ether.h       |  2 ++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c 
b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+index 9642a2c..671d5c0 100644
+--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
++++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+@@ -202,8 +202,12 @@ dlt_jnpr_ether_parse_opts(tcpeditdlt_t *ctx)
+ int
+ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+ {
++    int extensions_len = 0;
+     int jnpr_header_len = 0;
+     const u_char *ethernet = NULL;
++    const u_char *extension;
++    u_char dlt = 0;
++    u_char encapsulation = 0;
+     jnpr_ether_config_t *config;
+
+     assert(ctx);
+@@ -228,9 +232,10 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char 
*packet, int pktlen)
+     }
+
+     /* then get the Juniper header length */
+-    memcpy(&jnpr_header_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
++    memcpy(&extensions_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
+
+-    jnpr_header_len = ntohs(jnpr_header_len) + JUNIPER_ETHER_HEADER_LEN;
++    extensions_len = ntohs(extensions_len);
++    jnpr_header_len = extensions_len + JUNIPER_ETHER_HEADER_LEN;
+
+     dbgx(1, "jnpr header len: %d", jnpr_header_len);
+     /* make sure the packet is big enough to find the Ethernet Header */
+@@ -245,6 +250,30 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char 
*packet, int pktlen)
+     /* jump to the appropriate offset */
+     ethernet = packet + jnpr_header_len;
+
++    /* parse the extension header to ensure this is Ethernet - the only DLT 
we currently support */
++    extension = packet + JUNIPER_ETHER_HEADER_LEN;
++    while (extension  < ethernet - 2) {
++        u_char ext_len = extension[1];
++        if (extension[0] == JUNIPER_ETHER_EXT_MEDIA_TYPE)
++            dlt = extension[2];
++        else if (extension[0] == JUNIPER_ETHER_EXT_ENCAPSULATION)
++            encapsulation = extension[2];
++        if (dlt != 0 && encapsulation != 0)
++            break;
++        extension += ext_len + 2;
++    }
++
++    if (extension > ethernet) {
++        tcpedit_seterr(ctx->tcpedit, "Extension to long! %d", extension - 
ethernet);
++        return TCPEDIT_ERROR;
++    }
++
++    if (dlt != DLT_EN10MB || encapsulation != 14) {
++        tcpedit_setwarn(ctx->tcpedit, "packet DLT %d and extension type %d not 
supported",
++            dlt, extension);
++        return TCPEDIT_WARN;
++    }
++
+     /* let the en10mb plugin decode the rest */
+     if (tcpedit_dlt_decode(config->subctx, ethernet, (pktlen - 
jnpr_header_len)) == TCPEDIT_ERROR)
+         return TCPEDIT_ERROR;
+diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h 
b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+index 4875350..90c12b4 100644
+--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
++++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+@@ -33,6 +33,8 @@ extern "C" {
+ #define JUNIPER_ETHER_L2PRESENT 0x80
+ #define JUNIPER_ETHER_DIRECTION 0x01
+ #define JUNIPER_ETHER_EXTLEN_OFFSET 4
++#define JUNIPER_ETHER_EXT_MEDIA_TYPE 3
++#define JUNIPER_ETHER_EXT_ENCAPSULATION 6
+
+ int dlt_jnpr_ether_register(tcpeditdlt_t *ctx);
+ int dlt_jnpr_ether_init(tcpeditdlt_t *ctx);
+--
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb 
b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index a784190868..04f3ee1c2d 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -15,6 +15,7 @@ SRC_URI = 
"https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
      file://CVE-2023-43279.patch \
      file://CVE-2024-22654-0001.patch \
      file://CVE-2024-22654-0002.patch \
+    file://CVE-2025-51006.patch \
  "
SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf" 




-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123489): 
https://lists.openembedded.org/g/openembedded-devel/message/123489
Mute This Topic: https://lists.openembedded.org/mt/115427305/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to