2 files changed, 208 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch
new file mode 100644
index 0000000000..bd07965543
--- /dev/null
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch
@@ -0,0 +1,207 @@
+Upstream-Status: Backport [https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b]
+Fix CVE-2016-10396.
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
+Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
+Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
+Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
+@@ -1,4 +1,4 @@
+-/*     $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $   */
+/*     $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $      */
+ 
+ /* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
+ 
+@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
+        return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
+ }
+ 
+static int 
+isakmp_frag_insert(struct ph1handle *iph1, struct isakmp_frag_item *item)
+{
+       struct isakmp_frag_item *pitem = NULL;
+       struct isakmp_frag_item *citem = iph1->frag_chain;
+
+       /* no frag yet, just insert at beginning of list */
+       if (iph1->frag_chain == NULL) {
+               iph1->frag_chain = item;
+               return 0;
+       }
+
+       do {
+               /* duplicate fragment number, abort (CVE-2016-10396) */
+               if (citem->frag_num == item->frag_num)
+                       return -1;
+
+               /* need to insert before current item */
+               if (citem->frag_num > item->frag_num) {
+                       if (pitem != NULL)
+                               pitem->frag_next = item;
+                       else
+                               /* insert at the beginning of the list  */
+                               iph1->frag_chain = item;
+                       item->frag_next = citem;
+                       return 0;
+               }
+
+               pitem = citem;
+               citem = citem->frag_next;
+       } while (citem != NULL);
+
+       /* we reached the end of the list, insert */
+       pitem->frag_next = item;
+       return 0;
+}
+
+ int 
+ isakmp_frag_extract(iph1, msg)
+        struct ph1handle *iph1;
+@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
+        item->frag_next = NULL;
+        item->frag_packet = buf;
+ 
+-       /* Look for the last frag while inserting the new item in the chain */
+-       if (item->frag_last)
+-               last_frag = item->frag_num;
+       /* Check for the last frag before inserting the new item in the chain */
+       if (item->frag_last) {
+               /* if we have the last fragment, indices must match */
+               if (iph1->frag_last_index != 0 &&
+                   item->frag_last != iph1->frag_last_index) {
+                       plog(LLV_ERROR, LOCATION, NULL,
+                            "Repeated last fragment index mismatch\n");
+                       racoon_free(item);
+                       vfree(buf);
+                       return -1;
+               }
+ 
+-       if (iph1->frag_chain == NULL) {
+-               iph1->frag_chain = item;
+-       } else {
+-               struct isakmp_frag_item *current;
+               last_frag = iph1->frag_last_index = item->frag_num;
+       }
+ 
+-               current = iph1->frag_chain;
+-               while (current->frag_next) {
+-                       if (current->frag_last)
+-                               last_frag = item->frag_num;
+-                       current = current->frag_next;
+-               }
+-               current->frag_next = item;
+       /* insert fragment into chain */
+       if (isakmp_frag_insert(iph1, item) == -1) {
+               plog(LLV_ERROR, LOCATION, NULL,
+                   "Repeated fragment index mismatch\n");
+               racoon_free(item);
+               vfree(buf);
+               return -1;
+        }
+ 
+-       /* If we saw the last frag, check if the chain is complete */
+       /* If we saw the last frag, check if the chain is complete
+        * we have a sorted list now, so just walk through */
+        if (last_frag != 0) {
+               item = iph1->frag_chain;
+                for (i = 1; i <= last_frag; i++) {
+-                       item = iph1->frag_chain;
+-                       do {
+-                               if (item->frag_num == i)
+-                                       break;
+-                               item = item->frag_next;
+-                       } while (item != NULL);
+-
+                       if (item->frag_num != i)
+                               break;
+                       item = item->frag_next;
+                        if (item == NULL) /* Not found */
+                                break;
+                }
+ 
+-               if (item != NULL) /* It is complete */
+               if (i > last_frag) /* It is complete */
+                        return 1;
+        }
+                
+@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
+        }
+        data = buf->v;
+ 
+       item = iph1->frag_chain;
+        for (i = 1; i <= frag_count; i++) {
+-               item = iph1->frag_chain;
+-               do {
+-                       if (item->frag_num == i)
+-                               break;
+-                       item = item->frag_next;
+-               } while (item != NULL);
+-
+-               if (item == NULL) {
+               if (item->frag_num != i) {
+                        plog(LLV_ERROR, LOCATION, NULL, 
+                            "Missing fragment #%d\n", i);
+                        vfree(buf);
+@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
+                }
+                memcpy(data, item->frag_packet->v, item->frag_packet->l);
+                data += item->frag_packet->l;
+               item = item->frag_next;
+        }
+ 
+ out:
+Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
+@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
+ #endif
+ #ifdef ENABLE_FRAG
+        iph1->frag = 0;
+       iph1->frag_last_index = 0;
+        iph1->frag_chain = NULL;
+ #endif
+ 
+Index: pkg-ipsec-tools/src/racoon/isakmp.c
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/isakmp.c
+++ pkg-ipsec-tools/src/racoon/isakmp.c
+@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
+                iph1->frag = 1;
+        else
+                iph1->frag = 0;
+       iph1->frag_last_index = 0;
+        iph1->frag_chain = NULL;
+ #endif
+        iph1->approval = NULL;
+@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
+ #endif
+ #ifdef ENABLE_FRAG
+        iph1->frag = 0;
+       iph1->frag_last_index = 0;
+        iph1->frag_chain = NULL;
+ #endif
+        iph1->approval = NULL;
+Index: pkg-ipsec-tools/src/racoon/handler.h
+===================================================================
+--- pkg-ipsec-tools.orig/src/racoon/handler.h
+++ pkg-ipsec-tools/src/racoon/handler.h
+@@ -1,4 +1,4 @@
+-/*     $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $      */
+/*     $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $    */
+ 
+ /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
+ 
+@@ -141,6 +141,7 @@ struct ph1handle {
+ #endif
+ #ifdef ENABLE_FRAG
+        int frag;                       /* IKE phase 1 fragmentation */
+       int frag_last_index;
+        struct isakmp_frag_item *frag_chain;    /* Received fragments */
+ #endif
+ 
diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
index d7e8b25961..5cbeb15ad5 100644
--- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
+++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${P
           file://0001-Fix-build-with-clang.patch \
           file://0001-Fix-header-issues-found-with-musl-libc.patch \
           file://0002-cfparse-clear-memory-equal-to-size-of-array.patch \
+           file://fix-CVE-2016-10396.patch \
           "
 SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"
 SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"

diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch new file mode 100644 index 0000000000..bd07965543 --- /dev/null +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools/fix-CVE-2016-10396.patch
@@ -0,0 +1,207 @@
		1	Upstream-Status: Backport [https://anonscm.debian.org/cgit/pkg-ipsec-tools/pkg-ipsec-tools.git/plain/debian/patches/CVE-2016-10396.patch?id=62ac12648a4eb7c5ba5dba0f81998d1acf310d8b]
		2
		3	Fix CVE-2016-10396.
		4
		5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
		6	---
		7	Description: Fix remotely exploitable DoS. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10396
		8	Source: vendor; https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=51682
		9	Bug-debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867986
		10
		11	Index: pkg-ipsec-tools/src/racoon/isakmp_frag.c
		12	===================================================================
		13	--- pkg-ipsec-tools.orig/src/racoon/isakmp_frag.c
		14	+++ pkg-ipsec-tools/src/racoon/isakmp_frag.c
		15	@@ -1,4 +1,4 @@
		16	-/* $NetBSD: isakmp_frag.c,v 1.5 2009/04/22 11:24:20 tteras Exp $ */
		17	+/* $NetBSD: isakmp_frag.c,v 1.5.36.1 2017/04/21 16:50:42 bouyer Exp $ */
		18
		19	/* Id: isakmp_frag.c,v 1.4 2004/11/13 17:31:36 manubsd Exp */
		20
		21	@@ -173,6 +173,43 @@ vendorid_frag_cap(gen)
		22	return ntohl(hp[MD5_DIGEST_LENGTH / sizeof(*hp)]);
		23	}
		24
		25	+static int
		26	+isakmp_frag_insert(struct ph1handle iph1, struct isakmp_frag_item item)
		27	+{
		28	+ struct isakmp_frag_item *pitem = NULL;
		29	+ struct isakmp_frag_item *citem = iph1->frag_chain;
		30	+
		31	+ /* no frag yet, just insert at beginning of list */
		32	+ if (iph1->frag_chain == NULL) {
		33	+ iph1->frag_chain = item;
		34	+ return 0;
		35	+ }
		36	+
		37	+ do {
		38	+ /* duplicate fragment number, abort (CVE-2016-10396) */
		39	+ if (citem->frag_num == item->frag_num)
		40	+ return -1;
		41	+
		42	+ /* need to insert before current item */
		43	+ if (citem->frag_num > item->frag_num) {
		44	+ if (pitem != NULL)
		45	+ pitem->frag_next = item;
		46	+ else
		47	+ /* insert at the beginning of the list */
		48	+ iph1->frag_chain = item;
		49	+ item->frag_next = citem;
		50	+ return 0;
		51	+ }
		52	+
		53	+ pitem = citem;
		54	+ citem = citem->frag_next;
		55	+ } while (citem != NULL);
		56	+
		57	+ /* we reached the end of the list, insert */
		58	+ pitem->frag_next = item;
		59	+ return 0;
		60	+}
		61	+
		62	int
		63	isakmp_frag_extract(iph1, msg)
		64	struct ph1handle *iph1;
		65	@@ -224,39 +261,43 @@ isakmp_frag_extract(iph1, msg)
		66	item->frag_next = NULL;
		67	item->frag_packet = buf;
		68
		69	- /* Look for the last frag while inserting the new item in the chain */
		70	- if (item->frag_last)
		71	- last_frag = item->frag_num;
		72	+ /* Check for the last frag before inserting the new item in the chain */
		73	+ if (item->frag_last) {
		74	+ /* if we have the last fragment, indices must match */
		75	+ if (iph1->frag_last_index != 0 &&
		76	+ item->frag_last != iph1->frag_last_index) {
		77	+ plog(LLV_ERROR, LOCATION, NULL,
		78	+ "Repeated last fragment index mismatch\n");
		79	+ racoon_free(item);
		80	+ vfree(buf);
		81	+ return -1;
		82	+ }
		83
		84	- if (iph1->frag_chain == NULL) {
		85	- iph1->frag_chain = item;
		86	- } else {
		87	- struct isakmp_frag_item *current;
		88	+ last_frag = iph1->frag_last_index = item->frag_num;
		89	+ }
		90
		91	- current = iph1->frag_chain;
		92	- while (current->frag_next) {
		93	- if (current->frag_last)
		94	- last_frag = item->frag_num;
		95	- current = current->frag_next;
		96	- }
		97	- current->frag_next = item;
		98	+ /* insert fragment into chain */
		99	+ if (isakmp_frag_insert(iph1, item) == -1) {
		100	+ plog(LLV_ERROR, LOCATION, NULL,
		101	+ "Repeated fragment index mismatch\n");
		102	+ racoon_free(item);
		103	+ vfree(buf);
		104	+ return -1;
		105	}
		106
		107	- /* If we saw the last frag, check if the chain is complete */
		108	+ /* If we saw the last frag, check if the chain is complete
		109	+ * we have a sorted list now, so just walk through */
		110	if (last_frag != 0) {
		111	+ item = iph1->frag_chain;
		112	for (i = 1; i <= last_frag; i++) {
		113	- item = iph1->frag_chain;
		114	- do {
		115	- if (item->frag_num == i)
		116	- break;
		117	- item = item->frag_next;
		118	- } while (item != NULL);
		119	-
		120	+ if (item->frag_num != i)
		121	+ break;
		122	+ item = item->frag_next;
		123	if (item == NULL) /* Not found */
		124	break;
		125	}
		126
		127	- if (item != NULL) /* It is complete */
		128	+ if (i > last_frag) /* It is complete */
		129	return 1;
		130	}
		131
		132	@@ -291,15 +332,9 @@ isakmp_frag_reassembly(iph1)
		133	}
		134	data = buf->v;
		135
		136	+ item = iph1->frag_chain;
		137	for (i = 1; i <= frag_count; i++) {
		138	- item = iph1->frag_chain;
		139	- do {
		140	- if (item->frag_num == i)
		141	- break;
		142	- item = item->frag_next;
		143	- } while (item != NULL);
		144	-
		145	- if (item == NULL) {
		146	+ if (item->frag_num != i) {
		147	plog(LLV_ERROR, LOCATION, NULL,
		148	"Missing fragment #%d\n", i);
		149	vfree(buf);
		150	@@ -308,6 +343,7 @@ isakmp_frag_reassembly(iph1)
		151	}
		152	memcpy(data, item->frag_packet->v, item->frag_packet->l);
		153	data += item->frag_packet->l;
		154	+ item = item->frag_next;
		155	}
		156
		157	out:
		158	Index: pkg-ipsec-tools/src/racoon/isakmp_inf.c
		159	===================================================================
		160	--- pkg-ipsec-tools.orig/src/racoon/isakmp_inf.c
		161	+++ pkg-ipsec-tools/src/racoon/isakmp_inf.c
		162	@@ -720,6 +720,7 @@ isakmp_info_send_nx(isakmp, remote, loca
		163	#endif
		164	#ifdef ENABLE_FRAG
		165	iph1->frag = 0;
		166	+ iph1->frag_last_index = 0;
		167	iph1->frag_chain = NULL;
		168	#endif
		169
		170	Index: pkg-ipsec-tools/src/racoon/isakmp.c
		171	===================================================================
		172	--- pkg-ipsec-tools.orig/src/racoon/isakmp.c
		173	+++ pkg-ipsec-tools/src/racoon/isakmp.c
		174	@@ -1072,6 +1072,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
		175	iph1->frag = 1;
		176	else
		177	iph1->frag = 0;
		178	+ iph1->frag_last_index = 0;
		179	iph1->frag_chain = NULL;
		180	#endif
		181	iph1->approval = NULL;
		182	@@ -1176,6 +1177,7 @@ isakmp_ph1begin_r(msg, remote, local, et
		183	#endif
		184	#ifdef ENABLE_FRAG
		185	iph1->frag = 0;
		186	+ iph1->frag_last_index = 0;
		187	iph1->frag_chain = NULL;
		188	#endif
		189	iph1->approval = NULL;
		190	Index: pkg-ipsec-tools/src/racoon/handler.h
		191	===================================================================
		192	--- pkg-ipsec-tools.orig/src/racoon/handler.h
		193	+++ pkg-ipsec-tools/src/racoon/handler.h
		194	@@ -1,4 +1,4 @@
		195	-/* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
		196	+/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
		197
		198	/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
		199
		200	@@ -141,6 +141,7 @@ struct ph1handle {
		201	#endif
		202	#ifdef ENABLE_FRAG
		203	int frag; /* IKE phase 1 fragmentation */
		204	+ int frag_last_index;
		205	struct isakmp_frag_item frag_chain; / Received fragments */
		206	#endif
		207


diff --git a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb index d7e8b25961..5cbeb15ad5 100644 --- a/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb +++ b/meta-networking/recipes-support/ipsec-tools/ipsec-tools_0.8.2.bb
@@ -24,6 +24,7 @@ SRC_URI = "http://ftp.netbsd.org/pub/NetBSD/misc/ipsec-tools/0.8/ipsec-tools-${P
24	file://0001-Fix-build-with-clang.patch \	24	file://0001-Fix-build-with-clang.patch \
25	file://0001-Fix-header-issues-found-with-musl-libc.patch \	25	file://0001-Fix-header-issues-found-with-musl-libc.patch \
26	file://0002-cfparse-clear-memory-equal-to-size-of-array.patch \	26	file://0002-cfparse-clear-memory-equal-to-size-of-array.patch \
		27	file://fix-CVE-2016-10396.patch \
27	"	28	"
28	SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"	29	SRC_URI[md5sum] = "d53ec14a0a3ece64e09e5e34b3350b41"
29	SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"	30	SRC_URI[sha256sum] = "8eb6b38716e2f3a8a72f1f549c9444c2bc28d52c9536792690564c74fe722f2d"