diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2024-09-01 07:04:29 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2024-09-01 08:12:58 -0700 |
commit | 6f0ed176f23059e89f8bc4c1a466928b88a61a03 (patch) | |
tree | e4a1f9196100fb07525d22eb1f0542c9faadbaf4 | |
parent | e8c25c86963e8955173e522ca088498865532813 (diff) | |
download | meta-openembedded-6f0ed176f23059e89f8bc4c1a466928b88a61a03.tar.gz |
tcpdump: upgrade 4.99.4 -> 4.99.5
ChangeLog:
https://git.tcpdump.org/tcpdump/blob/HEAD:/CHANGES
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r-- | meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch | 129 | ||||
-rw-r--r--[-rwxr-xr-x] | meta-networking/recipes-support/tcpdump/tcpdump/run-ptest | 0 | ||||
-rw-r--r-- | meta-networking/recipes-support/tcpdump/tcpdump_4.99.5.bb (renamed from meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb) | 5 |
3 files changed, 2 insertions, 132 deletions
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch deleted file mode 100644 index 69348030b..000000000 --- a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch +++ /dev/null | |||
@@ -1,129 +0,0 @@ | |||
1 | From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Guy Harris <gharris@sonic.net> | ||
3 | Date: Tue, 12 Mar 2024 00:37:23 -0700 | ||
4 | Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer. | ||
5 | |||
6 | This both saves the buffer for freeing later and saves the packet | ||
7 | pointer and snapend to be restored when packet processing is complete, | ||
8 | even if an exception is thrown with longjmp. | ||
9 | |||
10 | This means that the hex/ASCII printing in pretty_print_packet() | ||
11 | processes the packet data as captured or read from the savefile, rather | ||
12 | than as modified by the PPP printer, so that the bounds checking is | ||
13 | correct. | ||
14 | |||
15 | That fixes CVE-2024-2397, which was caused by an exception being thrown | ||
16 | by the hex/ASCII printer (which should only happen if those routines are | ||
17 | called by a packet printer, not if they're called for the -X/-x/-A | ||
18 | flag), which jumps back to the setjmp() that surrounds the packet | ||
19 | printer. Hilarity^Winfinite looping ensues. | ||
20 | |||
21 | Also, restore ndo->ndo_packetp before calling the hex/ASCII printing | ||
22 | routine, in case nd_pop_all_packet_info() didn't restore it. | ||
23 | |||
24 | Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2] | ||
25 | CVE: CVE-2024-2397 | ||
26 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
27 | --- | ||
28 | print-ppp.c | 31 +++++++++++++++++-------------- | ||
29 | print.c | 8 ++++++-- | ||
30 | 2 files changed, 23 insertions(+), 16 deletions(-) | ||
31 | |||
32 | diff --git a/print-ppp.c b/print-ppp.c | ||
33 | index aba243d..e5ae064 100644 | ||
34 | --- a/print-ppp.c | ||
35 | +++ b/print-ppp.c | ||
36 | @@ -42,6 +42,8 @@ | ||
37 | #include <net/if_ppp.h> | ||
38 | #endif | ||
39 | |||
40 | +#include <stdlib.h> | ||
41 | + | ||
42 | #include "netdissect.h" | ||
43 | #include "extract.h" | ||
44 | #include "addrtoname.h" | ||
45 | @@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo, | ||
46 | u_char *b, *t, c; | ||
47 | const u_char *s; | ||
48 | u_int i, proto; | ||
49 | - const void *sb, *se; | ||
50 | |||
51 | if (caplen == 0) | ||
52 | return; | ||
53 | @@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo, | ||
54 | if (length == 0) | ||
55 | return; | ||
56 | |||
57 | - b = (u_char *)nd_malloc(ndo, caplen); | ||
58 | - if (b == NULL) | ||
59 | - return; | ||
60 | + b = (u_char *)malloc(caplen); | ||
61 | + if (b == NULL) { | ||
62 | + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, | ||
63 | + "%s: malloc", __func__); | ||
64 | + } | ||
65 | |||
66 | /* | ||
67 | * Unescape all the data into a temporary, private, buffer. | ||
68 | @@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo, | ||
69 | } | ||
70 | |||
71 | /* | ||
72 | - * Change the end pointer, so bounds checks work. | ||
73 | - * Change the pointer to packet data to help debugging. | ||
74 | + * Switch to the output buffer for dissection, and save it | ||
75 | + * on the buffer stack so it can be freed; our caller must | ||
76 | + * pop it when done. | ||
77 | */ | ||
78 | - sb = ndo->ndo_packetp; | ||
79 | - se = ndo->ndo_snapend; | ||
80 | - ndo->ndo_packetp = b; | ||
81 | - ndo->ndo_snapend = t; | ||
82 | + if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) { | ||
83 | + free(b); | ||
84 | + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, | ||
85 | + "%s: can't push buffer on buffer stack", __func__); | ||
86 | + } | ||
87 | length = ND_BYTES_AVAILABLE_AFTER(b); | ||
88 | |||
89 | /* now lets guess about the payload codepoint format */ | ||
90 | @@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo, | ||
91 | } | ||
92 | |||
93 | cleanup: | ||
94 | - ndo->ndo_packetp = sb; | ||
95 | - ndo->ndo_snapend = se; | ||
96 | + nd_pop_packet_info(ndo); | ||
97 | return; | ||
98 | |||
99 | trunc: | ||
100 | - ndo->ndo_packetp = sb; | ||
101 | - ndo->ndo_snapend = se; | ||
102 | + nd_pop_packet_info(ndo); | ||
103 | nd_print_trunc(ndo); | ||
104 | } | ||
105 | |||
106 | diff --git a/print.c b/print.c | ||
107 | index 9c0ab86..33706b9 100644 | ||
108 | --- a/print.c | ||
109 | +++ b/print.c | ||
110 | @@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h, | ||
111 | nd_pop_all_packet_info(ndo); | ||
112 | |||
113 | /* | ||
114 | - * Restore the original snapend, as a printer might have | ||
115 | - * changed it. | ||
116 | + * Restore the originals snapend and packetp, as a printer | ||
117 | + * might have changed them. | ||
118 | + * | ||
119 | + * XXX - nd_pop_all_packet_info() should have restored the | ||
120 | + * original values, but, just in case.... | ||
121 | */ | ||
122 | ndo->ndo_snapend = sp + h->caplen; | ||
123 | + ndo->ndo_packetp = sp; | ||
124 | if (ndo->ndo_Xflag) { | ||
125 | /* | ||
126 | * Print the raw packet data in hex and ASCII. | ||
127 | -- | ||
128 | 2.25.1 | ||
129 | |||
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/run-ptest b/meta-networking/recipes-support/tcpdump/tcpdump/run-ptest index 2bfb2267d..2bfb2267d 100755..100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump/run-ptest +++ b/meta-networking/recipes-support/tcpdump/tcpdump/run-ptest | |||
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.5.bb index b05b832dd..32b869f24 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.5.bb | |||
@@ -21,13 +21,12 @@ RDEPENDS:${PN}-ptest += " make perl \ | |||
21 | " | 21 | " |
22 | 22 | ||
23 | SRC_URI = " \ | 23 | SRC_URI = " \ |
24 | http://www.tcpdump.org/release/${BP}.tar.gz \ | 24 | http://www.tcpdump.org/release/${BP}.tar.xz \ |
25 | file://add-ptest.patch \ | 25 | file://add-ptest.patch \ |
26 | file://run-ptest \ | 26 | file://run-ptest \ |
27 | file://CVE-2024-2397.patch \ | ||
28 | " | 27 | " |
29 | 28 | ||
30 | SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea" | 29 | SRC_URI[sha256sum] = "d76395ab82d659d526291b013eee200201380930793531515abfc6e77b4f2ee5" |
31 | 30 | ||
32 | UPSTREAM_CHECK_REGEX = "tcpdump-(?P<pver>\d+(\.\d+)+)\.tar" | 31 | UPSTREAM_CHECK_REGEX = "tcpdump-(?P<pver>\d+(\.\d+)+)\.tar" |
33 | 32 | ||