tcpreplay: fix CVE-2025-51006

Within tcpreplay's tcprewrite, a double free vulnerability has been identified
in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c.
This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly
invokes the cleanup routine multiple times on the same memory region.
By supplying a specifically crafted pcap file to the tcprewrite binary,
a local attacker can exploit this flaw to cause a Denial of Service (DoS) via memory corruption.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

2 files changed, 98 insertions, 0 deletions

diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
new file mode 100644
index 0000000000..a55ac8c314
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
@@ -0,0 +1,97 @@
+From 868db118535a646a8a48c957f1e6367069be1aa7 Mon Sep 17 00:00:00 2001
+From: Fred Klassen <fred.klassen@broadcom.com>
+Date: Wed, 9 Jul 2025 21:01:12 -0700
+Subject: [PATCH] Bug #902 juniper: added safeguards Protect against invalid or
+ unsupported Juniper packets.
+
+Notes:
+
+- only Ethernet packets are currently supported
+- was unable to recreate the original bug, but areas where hardening was required
+
+CVE: CVE-2025-51006
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/868db118535a646a8a48c957f1e6367069be1aa7]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ .../plugins/dlt_jnpr_ether/jnpr_ether.c       | 33 +++++++++++++++++--
+ .../plugins/dlt_jnpr_ether/jnpr_ether.h       |  2 ++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+index 9642a2c..671d5c0 100644
+--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
++++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+@@ -202,8 +202,12 @@ dlt_jnpr_ether_parse_opts(tcpeditdlt_t *ctx)
+ int
+ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+ {
++    int extensions_len = 0;
+     int jnpr_header_len = 0;
+     const u_char *ethernet = NULL;
++    const u_char *extension;
++    u_char dlt = 0;
++    u_char encapsulation = 0;
+     jnpr_ether_config_t *config;
+
+     assert(ctx);
+@@ -228,9 +232,10 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+     }
+
+     /* then get the Juniper header length */
+-    memcpy(&jnpr_header_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
++    memcpy(&extensions_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
+
+-    jnpr_header_len = ntohs(jnpr_header_len) + JUNIPER_ETHER_HEADER_LEN;
++    extensions_len = ntohs(extensions_len);
++    jnpr_header_len = extensions_len + JUNIPER_ETHER_HEADER_LEN;
+
+     dbgx(1, "jnpr header len: %d", jnpr_header_len);
+     /* make sure the packet is big enough to find the Ethernet Header */
+@@ -245,6 +250,30 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+     /* jump to the appropriate offset */
+     ethernet = packet + jnpr_header_len;
+
++    /* parse the extension header to ensure this is Ethernet - the only DLT we currently support */
++    extension = packet + JUNIPER_ETHER_HEADER_LEN;
++    while (extension  < ethernet - 2) {
++        u_char ext_len = extension[1];
++        if (extension[0] == JUNIPER_ETHER_EXT_MEDIA_TYPE)
++            dlt = extension[2];
++        else if (extension[0] == JUNIPER_ETHER_EXT_ENCAPSULATION)
++            encapsulation = extension[2];
++        if (dlt != 0 && encapsulation != 0)
++            break;
++        extension += ext_len + 2;
++    }
++
++    if (extension > ethernet) {
++        tcpedit_seterr(ctx->tcpedit, "Extension to long! %d", extension - ethernet);
++        return TCPEDIT_ERROR;
++    }
++
++    if (dlt != DLT_EN10MB || encapsulation != 14) {
++        tcpedit_setwarn(ctx->tcpedit, "packet DLT %d and extension type %d not supported",
++            dlt, extension);
++        return TCPEDIT_WARN;
++    }
++
+     /* let the en10mb plugin decode the rest */
+     if (tcpedit_dlt_decode(config->subctx, ethernet, (pktlen - jnpr_header_len)) == TCPEDIT_ERROR)
+         return TCPEDIT_ERROR;
+diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+index 4875350..90c12b4 100644
+--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
++++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+@@ -33,6 +33,8 @@ extern "C" {
+ #define JUNIPER_ETHER_L2PRESENT 0x80
+ #define JUNIPER_ETHER_DIRECTION 0x01
+ #define JUNIPER_ETHER_EXTLEN_OFFSET 4
++#define JUNIPER_ETHER_EXT_MEDIA_TYPE 3
++#define JUNIPER_ETHER_EXT_ENCAPSULATION 6
+
+ int dlt_jnpr_ether_register(tcpeditdlt_t *ctx);
+ int dlt_jnpr_ether_init(tcpeditdlt_t *ctx);
+--
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index c2edd29524..29207bc89f 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcprepl
            file://CVE-2024-22654-0002.patch \
            file://CVE-2023-43279.patch \
            file://CVE-2025-9157.patch \
+           file://CVE-2025-51006.patch \
 "
 
 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"