iperf3: Fix CVE-2023-7250

A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service. References: https://nvd.nist.gov/vuln/detail/CVE-2023-7250 https://security-tracker.debian.org/tracker/CVE-2023-7250 Upstream patch: https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4 Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
author: Soumya Sambu <soumya.sambu@windriver.com> 2025-09-26 17:14:28 +0530
committer: Gyorgy Sarvari <skandigraun@gmail.com> 2025-09-26 15:01:57 +0200
commit: 0a0ba8f46745c8743bb1979e3250aa1fa932f643 (patch)
tree: 8ef9f8d94e3f6b80e25f9e3b019b4ac17a40cd8d
parent: 8f65fa4e2eb7598384d5d1d1be07beef10c0b4e8 (diff)
download: meta-openembedded-0a0ba8f46745c8743bb1979e3250aa1fa932f643.tar.gz
2 files changed, 134 insertions, 0 deletions
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch
new file mode 100644
index 0000000000..6000480de7
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch
@@ -0,0 +1,133 @@
+From 5e3704dd850a5df2fb2b3eafd117963d017d07b4 Mon Sep 17 00:00:00 2001
+From: "Bruce A. Mah" <bmah@es.net>
+Date: Tue, 1 Aug 2023 14:02:54 -0700
+Subject: [PATCH] Implement fixes to make the control connection more robust.
+These include various timeouts in Nread() to guarantee that it will
+eventually exit, a 10-second timeout for each attempt to read data
+from the network and an approximately 30-second overall timeout per
+Nread() call.
+Also the iperf3 server now checks the length of the received session
+cookie, and errors out if this happens to be incorrect.
+Reported by Jorge Sancho Larraz - Canonical.
+CVE: CVE-2023-7250
+Upstream-Status: Backport [https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4]
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/iperf_server_api.c |  7 ++++-
+ src/net.c              | 62 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+diff --git a/src/iperf_server_api.c b/src/iperf_server_api.c
+index 18f105d..ae916f5 100644
+--- a/src/iperf_server_api.c
+++ b/src/iperf_server_api.c
+@@ -140,7 +140,12 @@ iperf_accept(struct iperf_test *test)
+         }
+ #endif /* HAVE_TCP_USER_TIMEOUT */
+ 
+-        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
+        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) != COOKIE_SIZE) {
+            /*
+             * Note this error covers both the case of a system error
+             * or the inability to read the correct amount of data
+             * (i.e. timed out).
+             */
+             i_errno = IERECVCOOKIE;
+             return -1;
+         }
+diff --git a/src/net.c b/src/net.c
+index 1a88155..b80fb64 100644
+--- a/src/net.c
+++ b/src/net.c
+@@ -65,6 +65,9 @@
+ #include "net.h"
+ #include "timer.h"
+ 
+static int nread_read_timeout = 10;
+static int nread_overall_timeout = 30;
+
+ /*
+  * Declaration of gerror in iperf_error.c.  Most other files in iperf3 can get this
+  * by including "iperf.h", but net.c lives "below" this layer.  Clearly the
+@@ -372,6 +375,32 @@ Nread(int fd, char *buf, size_t count, int prot)
+ {
+     register ssize_t r;
+     register size_t nleft = count;
+    struct iperf_time ftimeout = { 0, 0 };
+
+    fd_set rfdset;
+    struct timeval timeout = { nread_read_timeout, 0 };
+
+    /*
+     * fd might not be ready for reading on entry. Check for this
+     * (with timeout) first.
+     *
+     * This check could go inside the while() loop below, except we're
+     * currently considering whether it might make sense to support a
+     * codepath that bypassese this check, for situations where we
+     * already know that fd has data on it (for example if we'd gotten
+     * to here as the result of a select() call.
+     */
+    {
+        FD_ZERO(&rfdset);
+        FD_SET(fd, &rfdset);
+        r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
+        if (r < 0) {
+            return NET_HARDERROR;
+        }
+        if (r == 0) {
+            return 0;
+        }
+    }
+ 
+     while (nleft > 0) {
+         r = read(fd, buf, nleft);
+@@ -385,6 +414,39 @@ Nread(int fd, char *buf, size_t count, int prot)
+ 
+         nleft -= r;
+         buf += r;
+
+        /*
+         * We need some more bytes but don't want to wait around
+         * forever for them. In the case of partial results, we need
+         * to be able to read some bytes every nread_timeout seconds.
+         */
+        if (nleft > 0) {
+            struct iperf_time now;
+
+            /*
+             * Also, we have an approximate upper limit for the total time
+             * that a Nread call is supposed to take. We trade off accuracy
+             * of this timeout for a hopefully lower performance impact.
+             */
+            iperf_time_now(&now);
+            if (ftimeout.secs == 0) {
+                ftimeout = now;
+                iperf_time_add_usecs(&ftimeout, nread_overall_timeout * 1000000L);
+            }
+            if (iperf_time_compare(&ftimeout, &now) < 0) {
+                break;
+            }
+
+            FD_ZERO(&rfdset);
+            FD_SET(fd, &rfdset);
+            r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
+            if (r < 0) {
+                return NET_HARDERROR;
+            }
+            if (r == 0) {
+                break;
+            }
+        }
+     }
+     return count - nleft;
+ }
+-- 
+2.40.0
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
index e161927927..fe4b50abc1 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
           file://0001-configure.ac-check-for-CPP-prog.patch \
           file://CVE-2025-54350.patch \
           file://CVE-2025-54349.patch \
+           file://CVE-2023-7250.patch \
           "
 SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d"
author	Soumya Sambu <soumya.sambu@windriver.com>	2025-09-26 17:14:28 +0530
committer	Gyorgy Sarvari <skandigraun@gmail.com>	2025-09-26 15:01:57 +0200
commit	0a0ba8f46745c8743bb1979e3250aa1fa932f643 (patch)
tree	8ef9f8d94e3f6b80e25f9e3b019b4ac17a40cd8d
parent	8f65fa4e2eb7598384d5d1d1be07beef10c0b4e8 (diff)
download	meta-openembedded-0a0ba8f46745c8743bb1979e3250aa1fa932f643.tar.gz

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch new file mode 100644 index 0000000000..6000480de7 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch
@@ -0,0 +1,133 @@
		1	From 5e3704dd850a5df2fb2b3eafd117963d017d07b4 Mon Sep 17 00:00:00 2001
		2	From: "Bruce A. Mah" <bmah@es.net>
		3	Date: Tue, 1 Aug 2023 14:02:54 -0700
		4	Subject: [PATCH] Implement fixes to make the control connection more robust.
		5
		6	These include various timeouts in Nread() to guarantee that it will
		7	eventually exit, a 10-second timeout for each attempt to read data
		8	from the network and an approximately 30-second overall timeout per
		9	Nread() call.
		10
		11	Also the iperf3 server now checks the length of the received session
		12	cookie, and errors out if this happens to be incorrect.
		13
		14	Reported by Jorge Sancho Larraz - Canonical.
		15
		16	CVE: CVE-2023-7250
		17
		18	Upstream-Status: Backport [https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4]
		19
		20	Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
		21	---
		22	src/iperf_server_api.c \| 7 ++++-
		23	src/net.c \| 62 ++++++++++++++++++++++++++++++++++++++++++
		24	2 files changed, 68 insertions(+), 1 deletion(-)
		25
		26	diff --git a/src/iperf_server_api.c b/src/iperf_server_api.c
		27	index 18f105d..ae916f5 100644
		28	--- a/src/iperf_server_api.c
		29	+++ b/src/iperf_server_api.c
		30	@@ -140,7 +140,12 @@ iperf_accept(struct iperf_test *test)
		31	}
		32	#endif /* HAVE_TCP_USER_TIMEOUT */
		33
		34	- if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
		35	+ if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) != COOKIE_SIZE) {
		36	+ /*
		37	+ * Note this error covers both the case of a system error
		38	+ * or the inability to read the correct amount of data
		39	+ * (i.e. timed out).
		40	+ */
		41	i_errno = IERECVCOOKIE;
		42	return -1;
		43	}
		44	diff --git a/src/net.c b/src/net.c
		45	index 1a88155..b80fb64 100644
		46	--- a/src/net.c
		47	+++ b/src/net.c
		48	@@ -65,6 +65,9 @@
		49	#include "net.h"
		50	#include "timer.h"
		51
		52	+static int nread_read_timeout = 10;
		53	+static int nread_overall_timeout = 30;
		54	+
		55	/*
		56	* Declaration of gerror in iperf_error.c. Most other files in iperf3 can get this
		57	* by including "iperf.h", but net.c lives "below" this layer. Clearly the
		58	@@ -372,6 +375,32 @@ Nread(int fd, char *buf, size_t count, int prot)
		59	{
		60	register ssize_t r;
		61	register size_t nleft = count;
		62	+ struct iperf_time ftimeout = { 0, 0 };
		63	+
		64	+ fd_set rfdset;
		65	+ struct timeval timeout = { nread_read_timeout, 0 };
		66	+
		67	+ /*
		68	+ * fd might not be ready for reading on entry. Check for this
		69	+ * (with timeout) first.
		70	+ *
		71	+ * This check could go inside the while() loop below, except we're
		72	+ * currently considering whether it might make sense to support a
		73	+ * codepath that bypassese this check, for situations where we
		74	+ * already know that fd has data on it (for example if we'd gotten
		75	+ * to here as the result of a select() call.
		76	+ */
		77	+ {
		78	+ FD_ZERO(&rfdset);
		79	+ FD_SET(fd, &rfdset);
		80	+ r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
		81	+ if (r < 0) {
		82	+ return NET_HARDERROR;
		83	+ }
		84	+ if (r == 0) {
		85	+ return 0;
		86	+ }
		87	+ }
		88
		89	while (nleft > 0) {
		90	r = read(fd, buf, nleft);
		91	@@ -385,6 +414,39 @@ Nread(int fd, char *buf, size_t count, int prot)
		92
		93	nleft -= r;
		94	buf += r;
		95	+
		96	+ /*
		97	+ * We need some more bytes but don't want to wait around
		98	+ * forever for them. In the case of partial results, we need
		99	+ * to be able to read some bytes every nread_timeout seconds.
		100	+ */
		101	+ if (nleft > 0) {
		102	+ struct iperf_time now;
		103	+
		104	+ /*
		105	+ * Also, we have an approximate upper limit for the total time
		106	+ * that a Nread call is supposed to take. We trade off accuracy
		107	+ * of this timeout for a hopefully lower performance impact.
		108	+ */
		109	+ iperf_time_now(&now);
		110	+ if (ftimeout.secs == 0) {
		111	+ ftimeout = now;
		112	+ iperf_time_add_usecs(&ftimeout, nread_overall_timeout * 1000000L);
		113	+ }
		114	+ if (iperf_time_compare(&ftimeout, &now) < 0) {
		115	+ break;
		116	+ }
		117	+
		118	+ FD_ZERO(&rfdset);
		119	+ FD_SET(fd, &rfdset);
		120	+ r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
		121	+ if (r < 0) {
		122	+ return NET_HARDERROR;
		123	+ }
		124	+ if (r == 0) {
		125	+ break;
		126	+ }
		127	+ }
		128	}
		129	return count - nleft;
		130	}
		131	--
		132	2.40.0
		133


diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb index e161927927..fe4b50abc1 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
18	file://0001-configure.ac-check-for-CPP-prog.patch \	18	file://0001-configure.ac-check-for-CPP-prog.patch \
19	file://CVE-2025-54350.patch \	19	file://CVE-2025-54350.patch \
20	file://CVE-2025-54349.patch \	20	file://CVE-2025-54349.patch \
		21	file://CVE-2023-7250.patch \
21	"	22	"
22		23
23	SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d"	24	SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d"