!18 linuxptp在master进行升级,到3.1.1
From: @json-book Reviewed-by: @caodongxia Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot
Gitee
commit
6a8996e8a8
@ -1,91 +0,0 @@
|
||||
From ce15e4de5926724557e8642ec762a210632f15ca Mon Sep 17 00:00:00 2001
|
||||
From: Richard Cochran <richardcochran@gmail.com>
|
||||
Date: Sat, 17 Apr 2021 15:15:18 -0700
|
||||
Subject: [PATCH] Validate the messageLength field of incoming messages.
|
||||
|
||||
The PTP messageLength field is redundant because the length of a PTP
|
||||
message is precisely determined by the message type and the appended
|
||||
TLVs. The current implementation validates the sizes of both the main
|
||||
message (according to the fixed header length and fixed length by
|
||||
type) and the TLVs (by using the 'L' of the TLV).
|
||||
|
||||
However, when forwarding a message, the messageLength field is used.
|
||||
If a message arrives with a messageLength field larger than the actual
|
||||
message size, the code will read and possibly write data beyond the
|
||||
allocated buffer.
|
||||
|
||||
Fix the issue by validating the field on ingress. This prevents
|
||||
reading and sending data past the message buffer when forwarding a
|
||||
management message or other messages when operating as a transparent
|
||||
clock, and it also prevents a memory corruption in msg_post_recv()
|
||||
after forwarding a management message.
|
||||
|
||||
Reported-by: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
|
||||
---
|
||||
msg.c | 18 ++++++++++++------
|
||||
1 file changed, 12 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/msg.c b/msg.c
|
||||
index d1619d49..5ae8ebbf 100644
|
||||
--- a/msg.c
|
||||
+++ b/msg.c
|
||||
@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
|
||||
{
|
||||
uint8_t *ptr = msg_suffix(msg);
|
||||
struct tlv_extra *extra;
|
||||
- int err;
|
||||
+ int err, suffix_len = 0;
|
||||
|
||||
if (!ptr)
|
||||
return 0;
|
||||
@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
|
||||
tlv_extra_recycle(extra);
|
||||
return -EBADMSG;
|
||||
}
|
||||
+ suffix_len += sizeof(struct TLV);
|
||||
len -= sizeof(struct TLV);
|
||||
ptr += sizeof(struct TLV);
|
||||
if (extra->tlv->length > len) {
|
||||
tlv_extra_recycle(extra);
|
||||
return -EBADMSG;
|
||||
}
|
||||
+ suffix_len += extra->tlv->length;
|
||||
len -= extra->tlv->length;
|
||||
ptr += extra->tlv->length;
|
||||
err = tlv_post_recv(extra);
|
||||
@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
|
||||
}
|
||||
msg_tlv_attach(msg, extra);
|
||||
}
|
||||
- return 0;
|
||||
+ return suffix_len;
|
||||
}
|
||||
|
||||
static void suffix_pre_send(struct ptp_message *msg)
|
||||
@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m)
|
||||
|
||||
int msg_post_recv(struct ptp_message *m, int cnt)
|
||||
{
|
||||
- int pdulen, type, err;
|
||||
+ int err, pdulen, suffix_len, type;
|
||||
|
||||
if (cnt < sizeof(struct ptp_header))
|
||||
return -EBADMSG;
|
||||
@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt)
|
||||
break;
|
||||
}
|
||||
|
||||
- err = suffix_post_recv(m, cnt - pdulen);
|
||||
- if (err)
|
||||
- return err;
|
||||
+ suffix_len = suffix_post_recv(m, cnt - pdulen);
|
||||
+ if (suffix_len < 0) {
|
||||
+ return suffix_len;
|
||||
+ }
|
||||
+ if (pdulen + suffix_len != m->header.messageLength) {
|
||||
+ return -EBADMSG;
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@ -1,26 +0,0 @@
|
||||
From d61d77e163dbee247819f3d88593ba111577af15 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
Date: Fri, 26 Mar 2021 09:57:43 +0100
|
||||
Subject: [PATCH] tc: Fix length of follow-up message of one-step sync.
|
||||
|
||||
Convert the length of the generated follow-up message to network order.
|
||||
This fixes reading and sending of data past the message buffer.
|
||||
|
||||
Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
|
||||
---
|
||||
tc.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tc.c b/tc.c
|
||||
index d9e4853..2e3830c 100644
|
||||
--- a/tc.c
|
||||
+++ b/tc.c
|
||||
@@ -452,7 +452,7 @@ int tc_fwd_sync(struct port *q, struct ptp_message *msg)
|
||||
}
|
||||
fup->header.tsmt = FOLLOW_UP | (msg->header.tsmt & 0xf0);
|
||||
fup->header.ver = msg->header.ver;
|
||||
- fup->header.messageLength = sizeof(struct follow_up_msg);
|
||||
+ fup->header.messageLength = htons(sizeof(struct follow_up_msg));
|
||||
fup->header.domainNumber = msg->header.domainNumber;
|
||||
fup->header.sourcePortIdentity = msg->header.sourcePortIdentity;
|
||||
fup->header.sequenceId = msg->header.sequenceId;
|
||||
BIN
linuxptp-2.0.tgz
BIN
linuxptp-2.0.tgz
Binary file not shown.
BIN
linuxptp-3.1.1.tgz
Normal file
BIN
linuxptp-3.1.1.tgz
Normal file
Binary file not shown.
@ -1,6 +1,6 @@
|
||||
Name: linuxptp
|
||||
Version: 2.0
|
||||
Release: 5
|
||||
Version: 3.1.1
|
||||
Release: 1
|
||||
Summary: Linuxptp is an implementation of the Precision Time Protocol (PTP)
|
||||
Group: System Environment/Base
|
||||
License: GPLv2+
|
||||
@ -9,8 +9,6 @@ Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tgz
|
||||
Source1: phc2sys.service
|
||||
Source2: ptp4l.service
|
||||
|
||||
patch0000: CVE-2021-3571.patch
|
||||
Patch0001: CVE-2021-3570.patch
|
||||
|
||||
BuildRequires: gcc gcc-c++ systemd git net-tools
|
||||
|
||||
@ -75,12 +73,15 @@ echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys
|
||||
%{_sbindir}/pmc
|
||||
%{_sbindir}/ptp4l
|
||||
%{_sbindir}/timemaster
|
||||
%{_sbindir}/ts2phc
|
||||
|
||||
|
||||
%files help
|
||||
%{_mandir}/man8/*.8*
|
||||
|
||||
%changelog
|
||||
* Sat Feb 04 2023 wenchaofan <349464272@qq.com> - 3.1.1-1
|
||||
- Update to 3.1.1 version
|
||||
* Wed Sep 22 2021 yaoxin <yaoxin30@huawei.com> - 2.0-5
|
||||
- Fix CVE-2021-3570
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user