packages/iptraf-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!21 [sync] PR-17: fix CVE-2024-52949

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw
This commit is contained in:
openeuler-ci-bot 2024-12-09 02:08:26 +00:00 committed by Gitee
commit eeeea64e87
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 225 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

217
backport-CVE-2024-52949.patch Normal file
View File

@ -0,0 +1,217 @@
From 2b623e991115358a57275af8a53feb5ae707b3ae Mon Sep 17 00:00:00 2001
From: Vitezslav Samel <vitezslav@samel.cz>
Date: Thu, 21 Nov 2024 08:43:57 +0100
Subject: [PATCH] interface names: limit length to IFNAMSIZ
This fixes CVE-2024-52949 (stack based buffer overflow)
when copying user supplied interface name without any
check.
Problem was reported by Massimiliano Ferraresi and Massimiliano Brolli
from TIM Red team (https://www.gruppotim.it/it/footer/red-team.html)
Reported-by: Massimiliano Ferraresi, Massimiliano Brolli
Signed-off-by: Vitezslav Samel <vitezslav@samel.cz>
---
src/ifaces.c | 16 ++++++++--------
src/ifstats.c | 6 +++---
src/iptraf-ng-compat.h | 1 +
src/iptraf.c | 9 +++++++++
src/othptab.c | 2 +-
src/promisc.c | 2 +-
src/tcptable.c | 4 ++--
src/wrapper.c | 8 ++++++++
8 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/src/ifaces.c b/src/ifaces.c
index aeb1614..4c5a545 100644
--- a/src/ifaces.c
+++ b/src/ifaces.c
@@ -67,7 +67,7 @@ int dev_up(char *iface)
fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
- strcpy(ifr.ifr_name, iface);
+ ifname_copy(ifr.ifr_name, iface);
ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
close(fd);
@@ -90,7 +90,7 @@ int dev_get_ifindex(const char *iface)
return fd;
struct ifreq ifr;
- strcpy(ifr.ifr_name, iface);
+ ifname_copy(ifr.ifr_name, iface);
int ir = ioctl(fd, SIOCGIFINDEX, &ifr);
/* need to preserve errno across call to close() */
@@ -114,7 +114,7 @@ int dev_get_mtu(const char *iface)
return fd;
struct ifreq ifr;
- strcpy(ifr.ifr_name, iface);
+ ifname_copy(ifr.ifr_name, iface);
int ir = ioctl(fd, SIOCGIFMTU, &ifr);
/* need to preserve errno across call to close() */
@@ -138,7 +138,7 @@ int dev_get_flags(const char *iface)
return fd;
struct ifreq ifr;
- strcpy(ifr.ifr_name, iface);
+ ifname_copy(ifr.ifr_name, iface);
int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
/* need to preserve errno across call to close() */
@@ -162,7 +162,7 @@ int dev_set_flags(const char *iface, int flags)
return fd;
struct ifreq ifr;
- strcpy(ifr.ifr_name, iface);
+ ifname_copy(ifr.ifr_name, iface);
int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
if (ir == -1)
goto err;
@@ -190,7 +190,7 @@ int dev_clear_flags(const char *iface, int flags)
return fd;
struct ifreq ifr;
- strcpy(ifr.ifr_name, iface);
+ ifname_copy(ifr.ifr_name, iface);
int ir = ioctl(fd, SIOCGIFFLAGS, &ifr);
if (ir == -1)
goto err;
@@ -233,7 +233,7 @@ int dev_get_ifname(int ifindex, char *ifname)
return ir;
}
- strncpy(ifname, ifr.ifr_name, IFNAMSIZ);
+ ifname_copy(ifname, ifr.ifr_name);
return ir;
}
@@ -256,7 +256,7 @@ int dev_bind_ifname(int fd, const char * const ifname)
int ir;
struct ifreq ifr;
- strcpy(ifr.ifr_name, ifname);
+ ifname_copy(ifr.ifr_name, ifname);
ir = ioctl(fd, SIOCGIFINDEX, &ifr);
if (ir)
return ir;
diff --git a/src/ifstats.c b/src/ifstats.c
index 00a2a3f..1b687b6 100644
--- a/src/ifstats.c
+++ b/src/ifstats.c
@@ -194,7 +194,7 @@ static void initiflist(struct iflist **list)
struct iflist *itmp = alloc_iflist_entry();
itmp->ifindex = ifindex;
- strcpy(itmp->ifname, ifname);
+ ifname_copy(itmp->ifname, ifname);
/* make the linked list sorted by ifindex */
struct iflist *cur = *list, *last = NULL;
@@ -714,9 +714,9 @@ void selectiface(char *ifname, int withall, int *aborted)
if (!(*aborted) && (list != NULL)) {
ptmp = (struct iflist *) scrolllist.textptr->nodeptr;
if ((withall) && (ptmp->prev_entry == NULL)) /* All Interfaces */
- strcpy(ifname, "");
+ ifname_copy(ifname, "");
else
- strcpy(ifname, ptmp->ifname);
+ ifname_copy(ifname, ptmp->ifname);
}
tx_destroy_list(&scrolllist);
diff --git a/src/iptraf-ng-compat.h b/src/iptraf-ng-compat.h
index 5aec185..845f18b 100644
--- a/src/iptraf-ng-compat.h
+++ b/src/iptraf-ng-compat.h
@@ -112,6 +112,7 @@ extern void *xmallocz(size_t size);
extern char *xstrdup(const char *s);
extern int strtoul_ui(char const *s, int base, unsigned int *result);
extern int strtol_i(char const *s, int base, int *result);
+extern void ifname_copy(char *dst, const char *src);
extern void die(const char *err, ...) __noreturn __printf(1,2);
extern void die_errno(const char *fmt, ...) __noreturn __printf(1,2);
diff --git a/src/iptraf.c b/src/iptraf.c
index 95f8e53..e5dcb64 100644
--- a/src/iptraf.c
+++ b/src/iptraf.c
@@ -388,6 +388,15 @@ int main(int argc, char **argv)
if (__builtin_popcount(command) > 1)
die("only one of -i|-d|-s|-z|-l|-g options must be used");
+ /* sanity check of passed arguments */
+ if ((i_opt && strlen(i_opt) >= IFNAMSIZ) ||
+ (d_opt && strlen(d_opt) >= IFNAMSIZ) ||
+ (s_opt && strlen(s_opt) >= IFNAMSIZ) ||
+ (z_opt && strlen(z_opt) >= IFNAMSIZ) ||
+ (l_opt && strlen(l_opt) >= IFNAMSIZ)) {
+ die("interface name is too long");
+ }
+
strcpy(current_logfile, "");
if (f_opt) {
diff --git a/src/othptab.c b/src/othptab.c
index d1d9658..80f3dc8 100644
--- a/src/othptab.c
+++ b/src/othptab.c
@@ -271,7 +271,7 @@ struct othptabent *add_othp_entry(struct othptable *table, struct pkt_hdr *pkt,
}
new_entry->protocol = protocol;
- strcpy(new_entry->iface, ifname);
+ ifname_copy(new_entry->iface, ifname);
new_entry->pkt_length = pkt->pkt_len;
diff --git a/src/promisc.c b/src/promisc.c
index d94e8bb..4737962 100644
--- a/src/promisc.c
+++ b/src/promisc.c
@@ -70,7 +70,7 @@ static void promisc_enable_dev(struct list_head *promisc, int sock, const char *
struct promisc_list *new = xmallocz(sizeof(*new));
new->ifindex = ifindex;
- strcpy(new->ifname, dev);
+ ifname_copy(new->ifname, dev);
list_add_tail(&new->list, promisc);
}
diff --git a/src/tcptable.c b/src/tcptable.c
index 159d628..2c4efc1 100644
--- a/src/tcptable.c
+++ b/src/tcptable.c
@@ -365,8 +365,8 @@ struct tcptableent *addentry(struct tcptable *table,
* Store interface name
*/
- strcpy(new_entry->ifname, ifname);
- strcpy(new_entry->oth_connection->ifname, ifname);
+ ifname_copy(new_entry->ifname, ifname);
+ ifname_copy(new_entry->oth_connection->ifname, ifname);
/*
* Zero out MAC address fields
diff --git a/src/wrapper.c b/src/wrapper.c
index 2eb3b59..1d2dc6f 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -78,3 +78,11 @@ int strtol_i(char const *s, int base, int *result)
*result = ul;
return 0;
}
+
+/* it's up to the caller to ensure there is room for */
+/* at least IFNAMSIZ bytes in dst */
+void ifname_copy(char *dst, const char *src)
+{
+ strncpy(dst, src, IFNAMSIZ - 1);
+ dst[IFNAMSIZ - 1] = '\0';
+}
--
2.33.0

9
iptraf-ng.spec
View File

@ -1,7 +1,7 @@
Name: iptraf-ng
Summary: A console-based network monitoring utility
Version: 1.2.1
Release: 4
Release: 5
License: GPL-2.0-or-later
URL: https://github.com/%{name}/%{name}/
Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
@ -12,6 +12,7 @@ Patch0: backport-use-correct-format-specifier-for-time_t-type.patch
Patch1: backport-use-correct-format-specifier-when-printing-packet-count.patch
Patch2: backport-use-correct-format-specifier-for-table-entcount-variable.patch
Patch3: iptraf-ng-Add-sw64-architecture.patch
Patch4: backport-CVE-2024-52949.patch
BuildRequires: gcc ncurses-devel
Obsoletes: iptraf < 3.1
@ -75,6 +76,12 @@ install -d -m 0755 %{buildroot}/run/%{name}/
%{_mandir}/man8/*.8.gz
%changelog
* Wed Nov 27 2024 liningjie<liningjie@xfusion.com> - 1.2.1-5
- Type:CVE
- CVE:CVE-2024-52949
- SUG:NA
- DESC:fix CVE-2024-52949
* Thu Aug 01 2024 yanglu<yanglu72@h-partners.com> - 1.2.1-4
- Type:bugfix
- CVE:NA