summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorArchana Polampalli <archana.polampalli@windriver.com>2025-12-16 12:45:36 +0530
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2025-12-17 11:45:23 +0530
commitc42bfd596ece58958e1cf496babc0c5c92899038 (patch)
tree7e1aa72d0e4413127546d32270aa497f93f3c72b /meta-networking
parent788904cef140e7dea251c24747a36e232d773f06 (diff)
downloadmeta-openembedded-c42bfd596ece58958e1cf496babc0c5c92899038.tar.gz
tcpreplay: fix CVE-2025-9157
A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da. Applying a patch is advised to resolve this issue. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> (cherry picked from commit 0538af085a47b038e369db9872ffed8945b200c2) Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch44
-rw-r--r--meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb1
2 files changed, 45 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch
new file mode 100644
index 0000000000..e52ec0dffc
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch
@@ -0,0 +1,44 @@
1From 73008f261f1cdf7a1087dc8759115242696d35da Mon Sep 17 00:00:00 2001
2From: Fred Klassen <fred.klassen@broadcom.com>
3Date: Mon, 18 Aug 2025 18:35:16 -0700
4Subject: [PATCH] Bug #970 tcprewrite: --fixlen: do not use realloc
5
6No need to realloc if buffer is already proven to be big enough.
7
8CVE: CVE-2025-9157
9
10Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/73008f261f1cdf7a1087dc8759115242696d35da]
11
12Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
13---
14 src/tcpedit/edit_packet.c | 1 -
15 src/tcprewrite.c | 2 ++
16 2 files changed, 2 insertions(+), 1 deletion(-)
17
18diff --git a/src/tcpedit/edit_packet.c b/src/tcpedit/edit_packet.c
19index 1025ff9..f9ade8f 100644
20--- a/src/tcpedit/edit_packet.c
21+++ b/src/tcpedit/edit_packet.c
22@@ -558,7 +558,6 @@ untrunc_packet(tcpedit_t *tcpedit,
23 * which seems like a corrupted pcap
24 */
25 if (pkthdr->len > pkthdr->caplen) {
26- packet = safe_realloc(packet, pkthdr->len + PACKET_HEADROOM);
27 memset(packet + pkthdr->caplen, '\0', pkthdr->len - pkthdr->caplen);
28 pkthdr->caplen = pkthdr->len;
29 } else if (pkthdr->len < pkthdr->caplen) {
30diff --git a/src/tcprewrite.c b/src/tcprewrite.c
31index c9aa52c..ee05a26 100644
32--- a/src/tcprewrite.c
33+++ b/src/tcprewrite.c
34@@ -270,6 +270,8 @@ rewrite_packets(tcpedit_t *tcpedit_ctx, pcap_t *pin, pcap_dumper_t *pout)
35
36 if (pkthdr.caplen > MAX_SNAPLEN)
37 errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAX_SNAPLEN);
38+ if (pkthdr.len > MAX_SNAPLEN)
39+ errx(-1, "Frame too big, len %d exceeds %d", pkthdr.len, MAX_SNAPLEN);
40 /*
41 * copy over the packet so we can pad it out if necessary and
42 * because pcap_next() returns a const ptr
43--
442.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index a784190868..866661b4d1 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -15,6 +15,7 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
15 file://CVE-2023-43279.patch \ 15 file://CVE-2023-43279.patch \
16 file://CVE-2024-22654-0001.patch \ 16 file://CVE-2024-22654-0001.patch \
17 file://CVE-2024-22654-0002.patch \ 17 file://CVE-2024-22654-0002.patch \
18 file://CVE-2025-9157.patch \
18" 19"
19 20
20SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf" 21SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"