tcpdump: Patch for CVE-2020-8037

Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: viatsk <viatsk@fastmail.com> 2020-11-24 19:29:04 -0500
committer: Khem Raj <raj.khem@gmail.com> 2020-11-24 21:19:34 -0800
commit: 0192d60708b023fc13bd5a392f11afba349ef850 (patch)
tree: f03d07856fa3bd169758e368a5f110f1996a6019 /meta-networking
parent: 51c495772d3186ff7625675c83547eb7410db57f (diff)
download: meta-openembedded-0192d60708b023fc13bd5a392f11afba349ef850.tar.gz
2 files changed, 71 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
new file mode 100644
index 000000000..9b74e00c5
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
@@ -0,0 +1,70 @@
+From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
+From: Guy Harris <guy@alum.mit.edu>
+Date: Sat, 18 Apr 2020 14:04:59 -0700
+Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
+The buffer should be big enough to hold the captured data, but it
+doesn't need to be big enough to hold the entire on-the-network packet,
+if we haven't captured all of it.
+(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
+Upstream-Status: Backport
+Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
+---
+ print-ppp.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+diff --git a/print-ppp.c b/print-ppp.c
+index 89176172..33fb0341 100644
+--- a/print-ppp.c
+++ b/print-ppp.c
+@@ -1367,19 +1367,29 @@ trunc:
+        return 0;
+ }
+ 
+/*
+ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
+ * The length argument is the on-the-wire length, not the captured
+ * length; we can only un-escape the captured part.
+ */
+ static void
+ ppp_hdlc(netdissect_options *ndo,
+          const u_char *p, int length)
+ {
+       u_int caplen = ndo->ndo_snapend - p;
+        u_char *b, *t, c;
+        const u_char *s;
+-       int i, proto;
+       u_int i;
+       int proto;
+        const void *se;
+ 
+       if (caplen == 0)
+               return;
+
+         if (length <= 0)
+                 return;
+ 
+-       b = (u_char *)malloc(length);
+       b = (u_char *)malloc(caplen);
+        if (b == NULL)
+                return;
+ 
+@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
+         * Do this so that we dont overwrite the original packet
+         * contents.
+         */
+-       for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
+       for (s = p, t = b, i = caplen; i != 0; i--) {
+                c = *s++;
+                if (c == 0x7d) {
+-                       if (i <= 1 || !ND_TTEST(*s))
+                       if (i <= 1)
+                                break;
+                        i--;
+                        c = *s++ ^ 0x20;
+-- 
+2.17.1
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
index 94543dd1d..8f7bd59f1 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
    file://avoid-absolute-path-when-searching-for-libdlpi.patch \
    file://add-ptest.patch \
    file://run-ptest \
+    file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
 "
 SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
author	viatsk <viatsk@fastmail.com>	2020-11-24 19:29:04 -0500
committer	Khem Raj <raj.khem@gmail.com>	2020-11-24 21:19:34 -0800
commit	0192d60708b023fc13bd5a392f11afba349ef850 (patch)
tree	f03d07856fa3bd169758e368a5f110f1996a6019 /meta-networking
parent	51c495772d3186ff7625675c83547eb7410db57f (diff)
download	meta-openembedded-0192d60708b023fc13bd5a392f11afba349ef850.tar.gz

diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch new file mode 100644 index 000000000..9b74e00c5 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch
@@ -0,0 +1,70 @@
		1	From 32027e199368dad9508965aae8cd8de5b6ab5231 Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <guy@alum.mit.edu>
		3	Date: Sat, 18 Apr 2020 14:04:59 -0700
		4	Subject: [PATCH] PPP: When un-escaping, don't allocate a too-large buffer.
		5
		6	The buffer should be big enough to hold the captured data, but it
		7	doesn't need to be big enough to hold the entire on-the-network packet,
		8	if we haven't captured all of it.
		9
		10	(backported from commit e4add0b010ed6f2180dcb05a13026242ed935334)
		11
		12	Upstream-Status: Backport
		13	Signed-off-by: Stacy Gaikovaia <stacy.gaikovaia@windriver.com>
		14
		15	---
		16	print-ppp.c \| 18 ++++++++++++++----
		17	1 file changed, 14 insertions(+), 4 deletions(-)
		18
		19	diff --git a/print-ppp.c b/print-ppp.c
		20	index 89176172..33fb0341 100644
		21	--- a/print-ppp.c
		22	+++ b/print-ppp.c
		23	@@ -1367,19 +1367,29 @@ trunc:
		24	return 0;
		25	}
		26
		27	+/*
		28	+ * Un-escape RFC 1662 PPP in HDLC-like framing, with octet escapes.
		29	+ * The length argument is the on-the-wire length, not the captured
		30	+ * length; we can only un-escape the captured part.
		31	+ */
		32	static void
		33	ppp_hdlc(netdissect_options *ndo,
		34	const u_char *p, int length)
		35	{
		36	+ u_int caplen = ndo->ndo_snapend - p;
		37	u_char b, t, c;
		38	const u_char *s;
		39	- int i, proto;
		40	+ u_int i;
		41	+ int proto;
		42	const void *se;
		43
		44	+ if (caplen == 0)
		45	+ return;
		46	+
		47	if (length <= 0)
		48	return;
		49
		50	- b = (u_char *)malloc(length);
		51	+ b = (u_char *)malloc(caplen);
		52	if (b == NULL)
		53	return;
		54
		55	@@ -1388,10 +1398,10 @@ ppp_hdlc(netdissect_options *ndo,
		56	* Do this so that we dont overwrite the original packet
		57	* contents.
		58	*/
		59	- for (s = p, t = b, i = length; i > 0 && ND_TTEST(*s); i--) {
		60	+ for (s = p, t = b, i = caplen; i != 0; i--) {
		61	c = *s++;
		62	if (c == 0x7d) {
		63	- if (i <= 1 \|\| !ND_TTEST(*s))
		64	+ if (i <= 1)
		65	break;
		66	i--;
		67	c = *s++ ^ 0x20;
		68	--
		69	2.17.1
		70


diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 94543dd1d..8f7bd59f1 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -17,6 +17,7 @@ SRC_URI = " \
17	file://avoid-absolute-path-when-searching-for-libdlpi.patch \	17	file://avoid-absolute-path-when-searching-for-libdlpi.patch \
18	file://add-ptest.patch \	18	file://add-ptest.patch \
19	file://run-ptest \	19	file://run-ptest \
		20	file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
20	"	21	"
21		22
22	SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"	23	SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"