packages/tcpdump
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

revert "fix CVE-2024-2397"

Browse Source
This commit is contained in:
xinghe 2024-04-28 01:47:16 +00:00
parent 4b7647de2f
commit 322d9a3f29
2 changed files with 8 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
backport-CVE-2024-2397.patch
View File

@ -1,125 +0,0 @@
From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001
From: Guy Harris <gharris@sonic.net>
Date: Tue, 12 Mar 2024 00:37:23 -0700
Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer.
This both saves the buffer for freeing later and saves the packet
pointer and snapend to be restored when packet processing is complete,
even if an exception is thrown with longjmp.
This means that the hex/ASCII printing in pretty_print_packet()
processes the packet data as captured or read from the savefile, rather
than as modified by the PPP printer, so that the bounds checking is
correct.
That fixes CVE-2024-2397, which was caused by an exception being thrown
by the hex/ASCII printer (which should only happen if those routines are
called by a packet printer, not if they're called for the -X/-x/-A
flag), which jumps back to the setjmp() that surrounds the packet
printer. Hilarity^Winfinite looping ensues.
Also, restore ndo->ndo_packetp before calling the hex/ASCII printing
routine, in case nd_pop_all_packet_info() didn't restore it.
Conflict: context adapt
Reference: https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2
---
print-ppp.c | 31 +++++++++++++++++--------------
print.c | 8 ++++++--
2 files changed, 23 insertions(+), 16 deletions(-)
diff --git a/print-ppp.c b/print-ppp.c
index 2cf06c363..9aed23eb9 100644
--- a/print-ppp.c
+++ b/print-ppp.c
@@ -37,6 +37,8 @@
#include <net/if_ppp.h>
#endif
+#include <stdlib.h>
+
#include "netdissect.h"
#include "extract.h"
#include "addrtoname.h"
@@ -1358,7 +1360,6 @@ ppp_hdlc(netdissect_options *ndo,
u_char *b, *t, c;
const u_char *s;
u_int i, proto;
- const void *sb, *se;
if (caplen == 0)
return;
@@ -1366,9 +1367,11 @@ ppp_hdlc(netdissect_options *ndo,
if (length == 0)
return;
- b = (u_char *)nd_malloc(ndo, caplen);
- if (b == NULL)
- return;
+ b = (u_char *)malloc(caplen);
+ if (b == NULL) {
+ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+ "%s: malloc", __func__);
+ }
/*
* Unescape all the data into a temporary, private, buffer.
@@ -1389,13 +1392,15 @@ ppp_hdlc(netdissect_options *ndo,
}
/*
- * Change the end pointer, so bounds checks work.
- * Change the pointer to packet data to help debugging.
+ * Switch to the output buffer for dissection, and save it
+ * on the buffer stack so it can be freed; our caller must
+ * pop it when done.
*/
- sb = ndo->ndo_packetp;
- se = ndo->ndo_snapend;
- ndo->ndo_packetp = b;
- ndo->ndo_snapend = t;
+ if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) {
+ free(b);
+ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+ "%s: can't push buffer on buffer stack", __func__);
+ }
length = ND_BYTES_AVAILABLE_AFTER(b);
/* now lets guess about the payload codepoint format */
@@ -1437,13 +1442,11 @@ ppp_hdlc(netdissect_options *ndo,
}
cleanup:
- ndo->ndo_packetp = sb;
- ndo->ndo_snapend = se;
+ nd_pop_packet_info(ndo);
return;
trunc:
- ndo->ndo_packetp = sb;
- ndo->ndo_snapend = se;
+ nd_pop_packet_info(ndo);
nd_print_trunc(ndo);
}
diff --git a/print.c b/print.c
index b9ba5997d..f20633388 100644
--- a/print.c
+++ b/print.c
@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h,
nd_pop_all_packet_info(ndo);
/*
- * Restore the original snapend, as a printer might have
- * changed it.
+ * Restore the originals snapend and packetp, as a printer
+ * might have changed them.
+ *
+ * XXX - nd_pop_all_packet_info() should have restored the
+ * original values, but, just in case....
*/
ndo->ndo_snapend = sp + h->caplen;
+ ndo->ndo_packetp = sp;
if (ndo->ndo_Xflag) {
/*
* Print the raw packet data in hex and ASCII.

11
tcpdump.spec
View File

@ -3,7 +3,7 @@
Name: tcpdump Name: tcpdump
Epoch: 14 Epoch: 14
Version: 4.99.4 Version: 4.99.4
Release: 3 Release: 4
Summary: A network traffic monitoring tool Summary: A network traffic monitoring tool
License: BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND ISC AND NTP License: BSD-2-Clause AND BSD-3-Clause AND BSD-4-Clause AND BSD-4-Clause-UC AND ISC AND NTP
URL: http://www.tcpdump.org URL: http://www.tcpdump.org
@ -17,8 +17,7 @@ Patch1: backport-0003-Drop-root-priviledges-before-opening-first-savefil
Patch2: backport-0007-Introduce-nn-option.patch Patch2: backport-0007-Introduce-nn-option.patch
Patch3: backport-0009-Change-n-flag-to-nn-in-TESTonce.patch Patch3: backport-0009-Change-n-flag-to-nn-in-TESTonce.patch
Patch4: tcpdump-Add-sw64-architecture.patch Patch4: tcpdump-Add-sw64-architecture.patch
Patch5: backport-CVE-2024-2397.patch Patch5: backport-0010-Fix-a-not-defined-macro-error.patch
Patch6: backport-0010-Fix-a-not-defined-macro-error.patch
Requires(pre): shadow-utils Requires(pre): shadow-utils
BuildRequires: automake openssl-devel libpcap-devel git-core gcc make BuildRequires: automake openssl-devel libpcap-devel git-core gcc make
@ -90,6 +89,12 @@ make check
%{_mandir}/man8/tcpdump.8* %{_mandir}/man8/tcpdump.8*
%changelog %changelog
* Sun Apr 28 2024 xinghe <xinghe2@h-partners.com> - 14:4.99.4-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:revert "fix CVE-2024-2397"
* Sat Apr 20 2024 zhangyaqi <zhangyaqi@kylinos.cn> - 14:4.99.4-3 * Sat Apr 20 2024 zhangyaqi <zhangyaqi@kylinos.cn> - 14:4.99.4-3
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA