Upstream-Status: Backport from https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2
Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com> --- .../tcpdump/tcpdump/CVE-2024-2397.patch | 129 ++++++++++++++++++ .../recipes-support/tcpdump/tcpdump_4.99.4.bb | 1 + 2 files changed, 130 insertions(+) create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch new file mode 100644 index 0000000000..69348030bb --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch @@ -0,0 +1,129 @@ +From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001 +From: Guy Harris <ghar...@sonic.net> +Date: Tue, 12 Mar 2024 00:37:23 -0700 +Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer. + +This both saves the buffer for freeing later and saves the packet +pointer and snapend to be restored when packet processing is complete, +even if an exception is thrown with longjmp. + +This means that the hex/ASCII printing in pretty_print_packet() +processes the packet data as captured or read from the savefile, rather +than as modified by the PPP printer, so that the bounds checking is +correct. + +That fixes CVE-2024-2397, which was caused by an exception being thrown +by the hex/ASCII printer (which should only happen if those routines are +called by a packet printer, not if they're called for the -X/-x/-A +flag), which jumps back to the setjmp() that surrounds the packet +printer. Hilarity^Winfinite looping ensues. + +Also, restore ndo->ndo_packetp before calling the hex/ASCII printing +routine, in case nd_pop_all_packet_info() didn't restore it. + +Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2] +CVE: CVE-2024-2397 +Signed-off-by: Hitendra Prajapati <hprajap...@mvista.com> +--- + print-ppp.c | 31 +++++++++++++++++-------------- + print.c | 8 ++++++-- + 2 files changed, 23 insertions(+), 16 deletions(-) + +diff --git a/print-ppp.c b/print-ppp.c +index aba243d..e5ae064 100644 +--- a/print-ppp.c ++++ b/print-ppp.c +@@ -42,6 +42,8 @@ + #include <net/if_ppp.h> + #endif + ++#include <stdlib.h> ++ + #include "netdissect.h" + #include "extract.h" + #include "addrtoname.h" +@@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo, + u_char *b, *t, c; + const u_char *s; + u_int i, proto; +- const void *sb, *se; + + if (caplen == 0) + return; +@@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo, + if (length == 0) + return; + +- b = (u_char *)nd_malloc(ndo, caplen); +- if (b == NULL) +- return; ++ b = (u_char *)malloc(caplen); ++ if (b == NULL) { ++ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, ++ "%s: malloc", __func__); ++ } + + /* + * Unescape all the data into a temporary, private, buffer. +@@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo, + } + + /* +- * Change the end pointer, so bounds checks work. +- * Change the pointer to packet data to help debugging. ++ * Switch to the output buffer for dissection, and save it ++ * on the buffer stack so it can be freed; our caller must ++ * pop it when done. + */ +- sb = ndo->ndo_packetp; +- se = ndo->ndo_snapend; +- ndo->ndo_packetp = b; +- ndo->ndo_snapend = t; ++ if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) { ++ free(b); ++ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, ++ "%s: can't push buffer on buffer stack", __func__); ++ } + length = ND_BYTES_AVAILABLE_AFTER(b); + + /* now lets guess about the payload codepoint format */ +@@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo, + } + + cleanup: +- ndo->ndo_packetp = sb; +- ndo->ndo_snapend = se; ++ nd_pop_packet_info(ndo); + return; + + trunc: +- ndo->ndo_packetp = sb; +- ndo->ndo_snapend = se; ++ nd_pop_packet_info(ndo); + nd_print_trunc(ndo); + } + +diff --git a/print.c b/print.c +index 9c0ab86..33706b9 100644 +--- a/print.c ++++ b/print.c +@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h, + nd_pop_all_packet_info(ndo); + + /* +- * Restore the original snapend, as a printer might have +- * changed it. ++ * Restore the originals snapend and packetp, as a printer ++ * might have changed them. ++ * ++ * XXX - nd_pop_all_packet_info() should have restored the ++ * original values, but, just in case.... + */ + ndo->ndo_snapend = sp + h->caplen; ++ ndo->ndo_packetp = sp; + if (ndo->ndo_Xflag) { + /* + * Print the raw packet data in hex and ASCII. +-- +2.25.1 + diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb index 803a9bb5f5..b05b832dd8 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb @@ -24,6 +24,7 @@ SRC_URI = " \ http://www.tcpdump.org/release/${BP}.tar.gz \ file://add-ptest.patch \ file://run-ptest \ + file://CVE-2024-2397.patch \ " SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#111072): https://lists.openembedded.org/g/openembedded-devel/message/111072 Mute This Topic: https://lists.openembedded.org/mt/106868633/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-