iperf3: Fix CVE-2023-38403

iperf3 before 3.14 allows peers to cause an integer overflow and heap corruption via a crafted length field. NVD link: https://nvd.nist.gov/vuln/detail/CVE-2023-38403 Upstream-Status: Backported from https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 Signed-off-by: Bhargav Das <bhargav.das@siemens.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Bhargav Das <bhargav.das@siemens.com> 2023-09-19 02:10:41 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-09-19 07:30:51 -0400
commit: 0fb607b8db16e074cfd9b2f66f18cfb2eb02cfb6 (patch)
tree: 62500a176b3922f41d501dcf0c355f907fc75ae1
parent: e42d1e758f9f08b98c0e8c6f0532316951bb276f (diff)
download: meta-openembedded-0fb607b8db16e074cfd9b2f66f18cfb2eb02cfb6.tar.gz
2 files changed, 47 insertions, 0 deletions
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch
new file mode 100644
index 0000000000..450cdde1f8
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch
@@ -0,0 +1,46 @@
+From 0ef151550d96cc4460f98832df84b4a1e87c65e9 Mon Sep 17 00:00:00 2001
+From: "Bruce A. Mah" <bmah@es.net>
+Date: Fri, 7 Jul 2023 11:35:02 -0700
+Subject: [PATCH] Fix memory allocation hazard (#1542). (#1543)
+Reported by:    @someusername123 on GitHub
+---
+ src/iperf_api.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+diff --git a/src/iperf_api.c b/src/iperf_api.c
+index f2d4162..a95e024 100644
+--- a/src/iperf_api.c
+++ b/src/iperf_api.c
+@@ -2670,6 +2670,7 @@ static cJSON *
+ JSON_read(int fd)
+ {
+     uint32_t hsize, nsize;
+    size_t strsize;
+     char *str;
+     cJSON *json = NULL;
+     int rc;
+@@ -2682,7 +2683,9 @@ JSON_read(int fd)
+     if (Nread(fd, (char*) &nsize, sizeof(nsize), Ptcp) >= 0) {
+        hsize = ntohl(nsize);
+        /* Allocate a buffer to hold the JSON */
+-       str = (char *) calloc(sizeof(char), hsize+1);   /* +1 for trailing null */
+       strsize = hsize + 1;              /* +1 for trailing NULL */
+       if (strsize) {
+       str = (char *) calloc(sizeof(char), strsize);
+        if (str != NULL) {
+            rc = Nread(fd, str, hsize, Ptcp);
+            if (rc >= 0) {
+@@ -2701,6 +2704,10 @@ JSON_read(int fd)
+            }
+        }
+        free(str);
+       }
+       else {
+           printf("WARNING:  Data length overflow\n");
+       }
+     }
+     return json;
+ }
+-- 
+2.25.1
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
index b7ffb029a3..19be5d94c0 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
@@ -15,6 +15,7 @@ DEPENDS = "openssl"
 SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
           file://0002-Remove-pg-from-profile_CFLAGS.patch \
+           file://0001-Fix-memory-allocation-hazard-1542-.-1543.patch \
           "
 SRCREV = "dfcea9f6a09ead01089a3c9d20c7032f2c0af2c1"
author	Bhargav Das <bhargav.das@siemens.com>	2023-09-19 02:10:41 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-09-19 07:30:51 -0400
commit	0fb607b8db16e074cfd9b2f66f18cfb2eb02cfb6 (patch)
tree	62500a176b3922f41d501dcf0c355f907fc75ae1
parent	e42d1e758f9f08b98c0e8c6f0532316951bb276f (diff)
download	meta-openembedded-0fb607b8db16e074cfd9b2f66f18cfb2eb02cfb6.tar.gz

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch new file mode 100644 index 0000000000..450cdde1f8 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/0001-Fix-memory-allocation-hazard-1542-.-1543.patch
@@ -0,0 +1,46 @@
		1	From 0ef151550d96cc4460f98832df84b4a1e87c65e9 Mon Sep 17 00:00:00 2001
		2	From: "Bruce A. Mah" <bmah@es.net>
		3	Date: Fri, 7 Jul 2023 11:35:02 -0700
		4	Subject: [PATCH] Fix memory allocation hazard (#1542). (#1543)
		5
		6	Reported by: @someusername123 on GitHub
		7	---
		8	src/iperf_api.c \| 9 ++++++++-
		9	1 file changed, 8 insertions(+), 1 deletion(-)
		10
		11	diff --git a/src/iperf_api.c b/src/iperf_api.c
		12	index f2d4162..a95e024 100644
		13	--- a/src/iperf_api.c
		14	+++ b/src/iperf_api.c
		15	@@ -2670,6 +2670,7 @@ static cJSON *
		16	JSON_read(int fd)
		17	{
		18	uint32_t hsize, nsize;
		19	+ size_t strsize;
		20	char *str;
		21	cJSON *json = NULL;
		22	int rc;
		23	@@ -2682,7 +2683,9 @@ JSON_read(int fd)
		24	if (Nread(fd, (char*) &nsize, sizeof(nsize), Ptcp) >= 0) {
		25	hsize = ntohl(nsize);
		26	/* Allocate a buffer to hold the JSON */
		27	- str = (char ) calloc(sizeof(char), hsize+1); / +1 for trailing null */
		28	+ strsize = hsize + 1; /* +1 for trailing NULL */
		29	+ if (strsize) {
		30	+ str = (char *) calloc(sizeof(char), strsize);
		31	if (str != NULL) {
		32	rc = Nread(fd, str, hsize, Ptcp);
		33	if (rc >= 0) {
		34	@@ -2701,6 +2704,10 @@ JSON_read(int fd)
		35	}
		36	}
		37	free(str);
		38	+ }
		39	+ else {
		40	+ printf("WARNING: Data length overflow\n");
		41	+ }
		42	}
		43	return json;
		44	}
		45	--
		46	2.25.1


diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb index b7ffb029a3..19be5d94c0 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.7.bb
@@ -15,6 +15,7 @@ DEPENDS = "openssl"
15		15
16	SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \	16	SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
17	file://0002-Remove-pg-from-profile_CFLAGS.patch \	17	file://0002-Remove-pg-from-profile_CFLAGS.patch \
		18	file://0001-Fix-memory-allocation-hazard-1542-.-1543.patch \
18	"	19	"
19		20
20	SRCREV = "dfcea9f6a09ead01089a3c9d20c7032f2c0af2c1"	21	SRCREV = "dfcea9f6a09ead01089a3c9d20c7032f2c0af2c1"