tcpreplay: fix CVE-2024-22654

tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Archana Polampalli <archana.polampalli@windriver.com> 2025-06-03 21:18:44 +0530
committer: Armin Kuster <akuster808@gmail.com> 2025-07-10 20:13:26 -0400
commit: 4a58c213346ff3dc04624328d3fad1d244047714 (patch)
tree: cd022494d969b9085e02fb9085090771e3cdb365
parent: 6885bcddd4265c325d9b383e010c541dd272899a (diff)
download: meta-openembedded-4a58c213346ff3dc04624328d3fad1d244047714.tar.gz
3 files changed, 127 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
new file mode 100644
index 0000000000..26dedba8d4
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
@@ -0,0 +1,90 @@
+From 5b5644356693f5c68dd4295e86f24f1d0a515d60 Mon Sep 17 00:00:00 2001
+From: Fred Klassen <fred.klassen@broadcom.com>
+Date: Sat, 1 Jun 2024 11:46:10 -0700
+Subject: [PATCH 1/2] Bug #827 PR# 842: add check for IPv6 extension header
+ length
+CVE: CVE-2024-22654
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/5b5644356693f5c68dd4295e86f24f1d0a515d60]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+diff --git a/src/common/get.c b/src/common/get.c
+index 2d91116..89fe95b 100644
+--- a/src/common/get.c
+++ b/src/common/get.c
+@@ -41,8 +41,8 @@ extern const char pcap_version[];
+ static void *get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr);
+ 
+ /**
+- * Depending on what version of libpcap/WinPcap there are different ways to get
+- * the version of the libpcap/WinPcap library.  This presents a unified way to
+ * Depending on what version of libpcap there are different ways to get
+ * the version of the libpcap library.  This presents a unified way to
+  * get that information.
+  */
+ const char *
+@@ -196,8 +196,15 @@ parse_metadata(const u_char *pktdata,
+                uint32_t *vlan_offset)
+ {
+     bool done = false;
+-    int res = 0;
+-    while (!done && res == 0) {
+    assert(next_protocol);
+    assert(l2len);
+    assert(l2offset);
+    assert(vlan_offset);
+
+    if (!pktdata || !datalen)
+        errx(-1, "parse_metadata: invalid L2 parameters: pktdata=0x%p len=%d", pktdata, datalen);
+
+    while (!done) {
+         switch (*next_protocol) {
+         case ETHERTYPE_VLAN:
+         case ETHERTYPE_Q_IN_Q:
+@@ -205,18 +212,22 @@ parse_metadata(const u_char *pktdata,
+             if (*vlan_offset == 0)
+                 *vlan_offset = *l2len;
+ 
+-            res = parse_vlan(pktdata, datalen, next_protocol, l2len);
+            if (parse_vlan(pktdata, datalen, next_protocol, l2len))
+                return -1;
+
+             break;
+         case ETHERTYPE_MPLS:
+         case ETHERTYPE_MPLS_MULTI:
+-            res = parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset);
+            if (parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset))
+                return -1;
+
+             break;
+         default:
+             done = true;
+         }
+     }
+ 
+-    return res;
+    return 0;
+ }
+ 
+ /*
+@@ -605,9 +616,11 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, const u_char *end_ptr)
+          * no further processing, either TCP, UDP, ICMP, etc...
+          */
+         default:
+-            if (proto != ip6_hdr->ip_nh) {
+            if (proto != ip6_hdr->ip_nh && next) {
+                 dbgx(3, "Returning byte offset of this ext header: %u", IPV6_EXTLEN_TO_BYTES(next->ip_len));
+                 next = (void *)((u_char *)next + IPV6_EXTLEN_TO_BYTES(next->ip_len));
+                if ((u_char*)next > end_ptr)
+                    return NULL;
+             } else {
+                 dbgx(3, "%s", "Returning end of IPv6 Header");
+             }
+-- 
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
new file mode 100644
index 0000000000..bcf560c0e5
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
@@ -0,0 +1,35 @@
+From 52ed63329b37ae83cb86504db2c9deb6a91e2fe9 Mon Sep 17 00:00:00 2001
+From: Gabriel Ganne <gabriel.ganne@gmail.com>
+Date: Sun, 21 Jan 2024 08:59:10 +0100
+Subject: [PATCH 2/2] ipv6 - add check for extension header length
+Fixes #827
+Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
+CVE: CVE-2024-22654
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/52ed63329b37ae83cb86504db2c9deb6a91e2fe9]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/src/common/get.c b/src/common/get.c
+index 89fe95b..c31de5d 100644
+--- a/src/common/get.c
+++ b/src/common/get.c
+@@ -676,6 +676,10 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr)
+     case TCPR_IPV6_NH_HBH:
+     case TCPR_IPV6_NH_AH:
+         extlen = IPV6_EXTLEN_TO_BYTES(exthdr->ip_len);
+        if (extlen == 0) {
+            dbg(3, "Malformed IPv6 extension header...");
+            return NULL;
+        }
+         dbgx(3,
+              "Looks like we're an ext header (0x%hhx).  Jumping %u bytes"
+              " to the next",
+--
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index 03a6cfdba5..a784190868 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
    file://0001-configure.ac-do-not-run-conftest-in-case-of-cross-co.patch \
    file://CVE-2023-4256.patch \
    file://CVE-2023-43279.patch \
+    file://CVE-2024-22654-0001.patch \
+    file://CVE-2024-22654-0002.patch \
 "
 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"
author	Archana Polampalli <archana.polampalli@windriver.com>	2025-06-03 21:18:44 +0530
committer	Armin Kuster <akuster808@gmail.com>	2025-07-10 20:13:26 -0400
commit	4a58c213346ff3dc04624328d3fad1d244047714 (patch)
tree	cd022494d969b9085e02fb9085090771e3cdb365
parent	6885bcddd4265c325d9b383e010c541dd272899a (diff)
download	meta-openembedded-4a58c213346ff3dc04624328d3fad1d244047714.tar.gz

diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch new file mode 100644 index 0000000000..26dedba8d4 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
@@ -0,0 +1,90 @@
		1	From 5b5644356693f5c68dd4295e86f24f1d0a515d60 Mon Sep 17 00:00:00 2001
		2	From: Fred Klassen <fred.klassen@broadcom.com>
		3	Date: Sat, 1 Jun 2024 11:46:10 -0700
		4	Subject: [PATCH 1/2] Bug #827 PR# 842: add check for IPv6 extension header
		5	length
		6
		7	CVE: CVE-2024-22654
		8
		9	Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/5b5644356693f5c68dd4295e86f24f1d0a515d60]
		10
		11	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		12	---
		13	src/common/get.c \| 29 +++++++++++++++++++++--------
		14	1 file changed, 21 insertions(+), 8 deletions(-)
		15
		16	diff --git a/src/common/get.c b/src/common/get.c
		17	index 2d91116..89fe95b 100644
		18	--- a/src/common/get.c
		19	+++ b/src/common/get.c
		20	@@ -41,8 +41,8 @@ extern const char pcap_version[];
		21	static void get_ipv6_next(struct tcpr_ipv6_ext_hdr_base exthdr, const u_char *end_ptr);
		22
		23	/**
		24	- * Depending on what version of libpcap/WinPcap there are different ways to get
		25	- * the version of the libpcap/WinPcap library. This presents a unified way to
		26	+ * Depending on what version of libpcap there are different ways to get
		27	+ * the version of the libpcap library. This presents a unified way to
		28	* get that information.
		29	*/
		30	const char *
		31	@@ -196,8 +196,15 @@ parse_metadata(const u_char *pktdata,
		32	uint32_t *vlan_offset)
		33	{
		34	bool done = false;
		35	- int res = 0;
		36	- while (!done && res == 0) {
		37	+ assert(next_protocol);
		38	+ assert(l2len);
		39	+ assert(l2offset);
		40	+ assert(vlan_offset);
		41	+
		42	+ if (!pktdata \|\| !datalen)
		43	+ errx(-1, "parse_metadata: invalid L2 parameters: pktdata=0x%p len=%d", pktdata, datalen);
		44	+
		45	+ while (!done) {
		46	switch (*next_protocol) {
		47	case ETHERTYPE_VLAN:
		48	case ETHERTYPE_Q_IN_Q:
		49	@@ -205,18 +212,22 @@ parse_metadata(const u_char *pktdata,
		50	if (*vlan_offset == 0)
		51	vlan_offset = l2len;
		52
		53	- res = parse_vlan(pktdata, datalen, next_protocol, l2len);
		54	+ if (parse_vlan(pktdata, datalen, next_protocol, l2len))
		55	+ return -1;
		56	+
		57	break;
		58	case ETHERTYPE_MPLS:
		59	case ETHERTYPE_MPLS_MULTI:
		60	- res = parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset);
		61	+ if (parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset))
		62	+ return -1;
		63	+
		64	break;
		65	default:
		66	done = true;
		67	}
		68	}
		69
		70	- return res;
		71	+ return 0;
		72	}
		73
		74	/*
		75	@@ -605,9 +616,11 @@ get_layer4_v6(const ipv6_hdr_t ip6_hdr, const u_char end_ptr)
		76	* no further processing, either TCP, UDP, ICMP, etc...
		77	*/
		78	default:
		79	- if (proto != ip6_hdr->ip_nh) {
		80	+ if (proto != ip6_hdr->ip_nh && next) {
		81	dbgx(3, "Returning byte offset of this ext header: %u", IPV6_EXTLEN_TO_BYTES(next->ip_len));
		82	next = (void )((u_char )next + IPV6_EXTLEN_TO_BYTES(next->ip_len));
		83	+ if ((u_char*)next > end_ptr)
		84	+ return NULL;
		85	} else {
		86	dbgx(3, "%s", "Returning end of IPv6 Header");
		87	}
		88	--
		89	2.40.0
		90


diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch new file mode 100644 index 0000000000..bcf560c0e5 --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
@@ -0,0 +1,35 @@
		1	From 52ed63329b37ae83cb86504db2c9deb6a91e2fe9 Mon Sep 17 00:00:00 2001
		2	From: Gabriel Ganne <gabriel.ganne@gmail.com>
		3	Date: Sun, 21 Jan 2024 08:59:10 +0100
		4	Subject: [PATCH 2/2] ipv6 - add check for extension header length
		5
		6	Fixes #827
		7
		8	Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
		9
		10	CVE: CVE-2024-22654
		11
		12	Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/52ed63329b37ae83cb86504db2c9deb6a91e2fe9]
		13
		14	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		15	---
		16	src/common/get.c \| 4 ++++
		17	1 file changed, 4 insertions(+)
		18
		19	diff --git a/src/common/get.c b/src/common/get.c
		20	index 89fe95b..c31de5d 100644
		21	--- a/src/common/get.c
		22	+++ b/src/common/get.c
		23	@@ -676,6 +676,10 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_base exthdr, const u_char end_ptr)
		24	case TCPR_IPV6_NH_HBH:
		25	case TCPR_IPV6_NH_AH:
		26	extlen = IPV6_EXTLEN_TO_BYTES(exthdr->ip_len);
		27	+ if (extlen == 0) {
		28	+ dbg(3, "Malformed IPv6 extension header...");
		29	+ return NULL;
		30	+ }
		31	dbgx(3,
		32	"Looks like we're an ext header (0x%hhx). Jumping %u bytes"
		33	" to the next",
		34	--
		35	2.40.0


diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb index 03a6cfdba5..a784190868 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -13,6 +13,8 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
13	file://0001-configure.ac-do-not-run-conftest-in-case-of-cross-co.patch \	13	file://0001-configure.ac-do-not-run-conftest-in-case-of-cross-co.patch \
14	file://CVE-2023-4256.patch \	14	file://CVE-2023-4256.patch \
15	file://CVE-2023-43279.patch \	15	file://CVE-2023-43279.patch \
		16	file://CVE-2024-22654-0001.patch \
		17	file://CVE-2024-22654-0002.patch \
16	"	18	"
17		19
18	SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"	20	SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"