ndpi: fix CVE-2021-36082

Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Changqing Li <changqing.li@windriver.com> 2021-08-10 11:55:40 +0800
committer: Khem Raj <raj.khem@gmail.com> 2021-08-10 09:01:46 -0700
commit: 7fd9678e645fb1c167d70f3a7336a7832e9e0693 (patch)
tree: d54ec5f650f3f8c10d165d1b9ff6fa65837c47d6 /meta-networking
parent: 242ba8e2fc4395b2bdc47c46e40c7f84402798c4 (diff)
download: meta-openembedded-7fd9678e645fb1c167d70f3a7336a7832e9e0693.tar.gz
2 files changed, 117 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch b/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch
new file mode 100644
index 000000000..8fdd62d18
--- /dev/null
+++ b/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch
@@ -0,0 +1,116 @@
+From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001
+From: Luca Deri <deri@ntop.org>
+Date: Sat, 15 May 2021 19:53:46 +0200
+Subject: [PATCH] Added further checks
+Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3]
+CVE: CVE-2021-36082
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/lib/protocols/netbios.c |  2 +-
+ src/lib/protocols/tls.c     | 32 +++++++++++++++++---------------
+ 2 files changed, 18 insertions(+), 16 deletions(-)
+diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
+index 1f3850cb..0d3b705f 100644
+--- a/src/lib/protocols/netbios.c
+++ b/src/lib/protocols/netbios.c
+@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len
+   int ret = 0, len, idx = inlen;
+   char *b;
+ 
+-  len = (*in++)/2;
+  len = (*in++)/2, inlen--;
+   b  = out;
+   *out = 0;
+ 
+diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
+index 5b572cae..c115ac08 100644
+--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
+@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
+        i += 4 + extension_len, offset += 4 + extension_len;
+       }
+ 
+-      ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
+      ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
+ 
+-      for(i=0; i<ja3.num_cipher; i++) {
+-       rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
+      for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) {
+       rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
+ 
+        if(rc <= 0) break; else ja3_str_len += rc;
+       }
+ 
+-      rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+-      if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+      if(JA3_STR_LEN > ja3_str_len) {
+          rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+          if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+      }
+ 
+       /* ********** */
+ 
+-      for(i=0; i<ja3.num_tls_extension; i++) {
+-       int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
+      for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN-ja3_str_len); i++) {
+       int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
+ 
+        if(rc <= 0) break; else ja3_str_len += rc;
+       }
+@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
+              int rc;
+ 
+            compute_ja3c:
+-             ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
+             ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
+ 
+              for(i=0; i<ja3.num_cipher; i++) {
+-               rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+               rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+                              (i > 0) ? "-" : "", ja3.cipher[i]);
+                if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+              }
+ 
+-             rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+             rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+              if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+              /* ********** */
+ 
+              for(i=0; i<ja3.num_tls_extension; i++) {
+-               rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+               rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+                              (i > 0) ? "-" : "", ja3.tls_extension[i]);
+                if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+              }
+ 
+-             rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+             rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+              if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+              /* ********** */
+ 
+              for(i=0; i<ja3.num_elliptic_curve; i++) {
+-               rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+               rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+                              (i > 0) ? "-" : "", ja3.elliptic_curve[i]);
+                if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+              }
+ 
+-             rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
+             rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
+              if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
+ 
+              for(i=0; i<ja3.num_elliptic_curve_point_format; i++) {
+-               rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
+               rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
+                              (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
+                if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
+              }
+-- 
+2.17.1
diff --git a/meta-networking/recipes-support/ntopng/ndpi_3.4.bb b/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
index cfc60a7aa..89450f562 100644
--- a/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
+++ b/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b52f2d57d10c4f7ee67a7eb9615d5d24"
 SRCREV = "64929a75e0a7a60d864bd25a9fd97fdf9ac892a2"
 SRC_URI = "git://github.com/ntop/nDPI.git;branch=3.4-stable \
           file://0001-autogen.sh-not-generate-configure.patch \
+           file://CVE-2021-36082.patch \
 "
 S = "${WORKDIR}/git"
author	Changqing Li <changqing.li@windriver.com>	2021-08-10 11:55:40 +0800
committer	Khem Raj <raj.khem@gmail.com>	2021-08-10 09:01:46 -0700
commit	7fd9678e645fb1c167d70f3a7336a7832e9e0693 (patch)
tree	d54ec5f650f3f8c10d165d1b9ff6fa65837c47d6 /meta-networking
parent	242ba8e2fc4395b2bdc47c46e40c7f84402798c4 (diff)
download	meta-openembedded-7fd9678e645fb1c167d70f3a7336a7832e9e0693.tar.gz

diff --git a/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch b/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch new file mode 100644 index 000000000..8fdd62d18 --- /dev/null +++ b/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch
@@ -0,0 +1,116 @@
		1	From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001
		2	From: Luca Deri <deri@ntop.org>
		3	Date: Sat, 15 May 2021 19:53:46 +0200
		4	Subject: [PATCH] Added further checks
		5
		6	Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3]
		7	CVE: CVE-2021-36082
		8
		9	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		10
		11	---
		12	src/lib/protocols/netbios.c \| 2 +-
		13	src/lib/protocols/tls.c \| 32 +++++++++++++++++---------------
		14	2 files changed, 18 insertions(+), 16 deletions(-)
		15
		16	diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c
		17	index 1f3850cb..0d3b705f 100644
		18	--- a/src/lib/protocols/netbios.c
		19	+++ b/src/lib/protocols/netbios.c
		20	@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char in, size_t inlen, char out, u_int out_len
		21	int ret = 0, len, idx = inlen;
		22	char *b;
		23
		24	- len = (*in++)/2;
		25	+ len = (*in++)/2, inlen--;
		26	b = out;
		27	*out = 0;
		28
		29	diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
		30	index 5b572cae..c115ac08 100644
		31	--- a/src/lib/protocols/tls.c
		32	+++ b/src/lib/protocols/tls.c
		33	@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
		34	i += 4 + extension_len, offset += 4 + extension_len;
		35	}
		36
		37	- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
		38	+ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
		39
		40	- for(i=0; i<ja3.num_cipher; i++) {
		41	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
		42	+ for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) {
		43	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]);
		44
		45	if(rc <= 0) break; else ja3_str_len += rc;
		46	}
		47
		48	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
		49	- if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
		50	+ if(JA3_STR_LEN > ja3_str_len) {
		51	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
		52	+ if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
		53	+ }
		54
		55	/* ********** */
		56
		57	- for(i=0; i<ja3.num_tls_extension; i++) {
		58	- int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
		59	+ for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN-ja3_str_len); i++) {
		60	+ int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]);
		61
		62	if(rc <= 0) break; else ja3_str_len += rc;
		63	}
		64	@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct,
		65	int rc;
		66
		67	compute_ja3c:
		68	- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version);
		69	+ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version);
		70
		71	for(i=0; i<ja3.num_cipher; i++) {
		72	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
		73	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
		74	(i > 0) ? "-" : "", ja3.cipher[i]);
		75	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
		76	}
		77
		78	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
		79	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
		80	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
		81
		82	/* ********** */
		83
		84	for(i=0; i<ja3.num_tls_extension; i++) {
		85	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
		86	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
		87	(i > 0) ? "-" : "", ja3.tls_extension[i]);
		88	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
		89	}
		90
		91	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
		92	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
		93	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
		94
		95	/* ********** */
		96
		97	for(i=0; i<ja3.num_elliptic_curve; i++) {
		98	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
		99	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
		100	(i > 0) ? "-" : "", ja3.elliptic_curve[i]);
		101	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
		102	}
		103
		104	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ",");
		105	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ",");
		106	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc;
		107
		108	for(i=0; i<ja3.num_elliptic_curve_point_format; i++) {
		109	- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u",
		110	+ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u",
		111	(i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]);
		112	if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break;
		113	}
		114	--
		115	2.17.1
		116


diff --git a/meta-networking/recipes-support/ntopng/ndpi_3.4.bb b/meta-networking/recipes-support/ntopng/ndpi_3.4.bb index cfc60a7aa..89450f562 100644 --- a/meta-networking/recipes-support/ntopng/ndpi_3.4.bb +++ b/meta-networking/recipes-support/ntopng/ndpi_3.4.bb
@@ -11,6 +11,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b52f2d57d10c4f7ee67a7eb9615d5d24"
11	SRCREV = "64929a75e0a7a60d864bd25a9fd97fdf9ac892a2"	11	SRCREV = "64929a75e0a7a60d864bd25a9fd97fdf9ac892a2"
12	SRC_URI = "git://github.com/ntop/nDPI.git;branch=3.4-stable \	12	SRC_URI = "git://github.com/ntop/nDPI.git;branch=3.4-stable \
13	file://0001-autogen.sh-not-generate-configure.patch \	13	file://0001-autogen.sh-not-generate-configure.patch \
		14	file://CVE-2021-36082.patch \
14	"	15	"
15		16
16	S = "${WORKDIR}/git"	17	S = "${WORKDIR}/git"