update to 3.1.1

2023-02-26 11:41:03 +08:00 · 2023-02-26 11:41:03 +08:00 · a6c178ee7a
commit a6c178ee7a
parent a608bf2a02
5 changed files with 5 additions and 121 deletions
--- a/CVE-2021-3570.patch
+++ b/CVE-2021-3570.patch
@ -1,91 +0,0 @@
 From ce15e4de5926724557e8642ec762a210632f15ca Mon Sep 17 00:00:00 2001
 From: Richard Cochran <richardcochran@gmail.com>
 Date: Sat, 17 Apr 2021 15:15:18 -0700
 Subject: [PATCH] Validate the messageLength field of incoming messages.
 The PTP messageLength field is redundant because the length of a PTP
 message is precisely determined by the message type and the appended
 TLVs.  The current implementation validates the sizes of both the main
 message (according to the fixed header length and fixed length by
 type) and the TLVs (by using the 'L' of the TLV).
 However, when forwarding a message, the messageLength field is used.
 If a message arrives with a messageLength field larger than the actual
 message size, the code will read and possibly write data beyond the
 allocated buffer.
 Fix the issue by validating the field on ingress.  This prevents
 reading and sending data past the message buffer when forwarding a
 management message or other messages when operating as a transparent
 clock, and it also prevents a memory corruption in msg_post_recv()
 after forwarding a management message.
 Reported-by: Miroslav Lichvar <mlichvar@redhat.com>
 Signed-off-by: Richard Cochran <richardcochran@gmail.com>
 ---
 msg.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)
 diff --git a/msg.c b/msg.c
 index d1619d49..5ae8ebbf 100644
 --- a/msg.c
 +++ b/msg.c
@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
 {
 	uint8_t *ptr = msg_suffix(msg);
 	struct tlv_extra *extra;
 -	int err;
 +	int err, suffix_len = 0;
 	if (!ptr)
 		return 0;
@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
 			tlv_extra_recycle(extra);
 			return -EBADMSG;
 		}
 +		suffix_len += sizeof(struct TLV);
 		len -= sizeof(struct TLV);
 		ptr += sizeof(struct TLV);
 		if (extra->tlv->length > len) {
 			tlv_extra_recycle(extra);
 			return -EBADMSG;
 		}
 +		suffix_len += extra->tlv->length;
 		len -= extra->tlv->length;
 		ptr += extra->tlv->length;
 		err = tlv_post_recv(extra);
@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
 		}
 		msg_tlv_attach(msg, extra);
 	}
 -	return 0;
 +	return suffix_len;
 }
 static void suffix_pre_send(struct ptp_message *msg)
@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m)
 int msg_post_recv(struct ptp_message *m, int cnt)
 {
 -	int pdulen, type, err;
 +	int err, pdulen, suffix_len, type;
 	if (cnt < sizeof(struct ptp_header))
 		return -EBADMSG;
@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt)
 		break;
 	}
 -	err = suffix_post_recv(m, cnt - pdulen);
 -	if (err)
 -		return err;
 +	suffix_len = suffix_post_recv(m, cnt - pdulen);
 +	if (suffix_len < 0) {
 +		return suffix_len;
 +	}
 +	if (pdulen + suffix_len != m->header.messageLength) {
 +		return -EBADMSG;
 +	}
 	return 0;
 }
--- a/CVE-2021-3571.patch
+++ b/CVE-2021-3571.patch
@ -1,26 +0,0 @@
 From d61d77e163dbee247819f3d88593ba111577af15 Mon Sep 17 00:00:00 2001
 From: Miroslav Lichvar <mlichvar@redhat.com>
 Date: Fri, 26 Mar 2021 09:57:43 +0100
 Subject: [PATCH] tc: Fix length of follow-up message of one-step sync.
 Convert the length of the generated follow-up message to network order.
 This fixes reading and sending of data past the message buffer.
 Signed-off-by: Miroslav Lichvar <mlichvar@redhat.com>
 ---
 tc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tc.c b/tc.c
 index d9e4853..2e3830c 100644
 --- a/tc.c
 +++ b/tc.c
@@ -452,7 +452,7 @@ int tc_fwd_sync(struct port *q, struct ptp_message *msg)
 		}
 		fup->header.tsmt               = FOLLOW_UP | (msg->header.tsmt & 0xf0);
 		fup->header.ver                = msg->header.ver;
 -		fup->header.messageLength      = sizeof(struct follow_up_msg);
 +		fup->header.messageLength      = htons(sizeof(struct follow_up_msg));
 		fup->header.domainNumber       = msg->header.domainNumber;
 		fup->header.sourcePortIdentity = msg->header.sourcePortIdentity;
 		fup->header.sequenceId         = msg->header.sequenceId;
--- a/linuxptp-2.0.tgz
+++ b/linuxptp-2.0.tgz
--- a/linuxptp-3.1.1.tgz
+++ b/linuxptp-3.1.1.tgz
--- a/linuxptp.spec
+++ b/linuxptp.spec
@ -1,6 +1,6 @@
 Name:		linuxptp
-Version:	2.0
+Version:	3.1.1
-Release:        5
+Release:        1
 Summary:	Linuxptp is an implementation of the Precision Time Protocol (PTP)
 Group:		System Environment/Base
 License:	GPLv2+
@ -9,8 +9,6 @@ Source0:	https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tgz
 Source1:	phc2sys.service
 Source2:	ptp4l.service
 patch0000: CVE-2021-3571.patch
 Patch0001: CVE-2021-3570.patch
 BuildRequires:	gcc gcc-c++ systemd git net-tools
@ -75,12 +73,15 @@ echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys
 %{_sbindir}/pmc
 %{_sbindir}/ptp4l
 %{_sbindir}/timemaster
 %{_sbindir}/ts2phc
 %files  help
 %{_mandir}/man8/*.8*
 %changelog
 * Sat Feb 04 2023 wenchaofan <349464272@qq.com> - 3.1.1-1
 - Update to 3.1.1 version 
 * Wed Sep 22 2021 yaoxin <yaoxin30@huawei.com> - 2.0-5
 - Fix CVE-2021-3570