tcpdump: Add fix for CVE-2018-16301

Add patch for CVE issue: CVE-2018-16301 Link: https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Upstream-Status: Pending Issue: MGUBSYS-5370 Change-Id: I2aac084e61ba9d71ae614a97b4924eaa60328b79 Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com> 2022-05-25 11:24:56 +0530
committer: Armin Kuster <akuster808@gmail.com> 2022-05-25 19:34:39 -0700
commit: deee226017877d51188e0a46f9e6b93c10ffbb34 (patch)
tree: 1f6db1aa3d7ea2af7167dcb7d9eb58af42252862
parent: 9f361cff9c73fdb532d3dde229633cc687424805 (diff)
download: meta-openembedded-deee226017877d51188e0a46f9e6b93c10ffbb34.tar.gz
2 files changed, 112 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
new file mode 100644
index 0000000000..5f5c68ccd6
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
@@ -0,0 +1,111 @@
+From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Wed, 30 Sep 2020 11:37:30 -0700
+Subject: [PATCH] Handle very large -f files by rejecting them.
+_read(), on Windows, has a 32-bit size argument and a 32-bit return
+value, so reject -f files that have more than 2^31-1 characters.
+Add some #defines so that, on Windows, we use _fstati64 to get the size
+of that file, to handle large files.
+Don't assume that our definition for ssize_t is the same size as size_t;
+by the time we want to print the return value of the read, we know it'll
+fit into an int, so just cast it to int and print it with %d.
+(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77)
+CVE: CVE-2022-25308
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86]
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
+---
+ netdissect-stdinc.h | 16 +++++++++++++++-
+ tcpdump.c           | 15 ++++++++++++---
+ 2 files changed, 27 insertions(+), 4 deletions(-)
+diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h
+index 8282c5846..9941c2a16 100644
+--- a/netdissect-stdinc.h
+++ b/netdissect-stdinc.h
+@@ -149,10 +149,17 @@
+ #ifdef _MSC_VER
+ #define stat _stat
+ #define open _open
+-#define fstat _fstat
+ #define read _read
+ #define close _close
+ #define O_RDONLY _O_RDONLY
+
+/*
+ * We define our_fstat64 as _fstati64, and define our_statb as
+ * struct _stati64, so we get 64-bit file sizes.
+ */
+#define our_fstat _fstati64
+#define our_statb struct _stati64
+
+ #endif  /* _MSC_VER */
+ 
+ /*
+@@ -211,6 +218,13 @@ typedef char* caddr_t;
+ 
+ #include <arpa/inet.h>
+ 
+/*
+ * We should have large file support enabled, if it's available,
+ * so just use fstat as our_fstat and struct stat as our_statb.
+ */
+#define our_fstat fstat
+#define our_statb struct stat
+
+ #endif /* _WIN32 */
+ 
+ #ifndef HAVE___ATTRIBUTE__
+diff --git a/tcpdump.c b/tcpdump.c
+index 043bda1d7..8f27ba2a4 100644
+--- a/tcpdump.c
+++ b/tcpdump.c
+@@ -108,6 +108,7 @@ The Regents of the University of California.  All rights reserved.\n";
+ #endif /* HAVE_CAP_NG_H */
+ #endif /* HAVE_LIBCAP_NG */
+ 
+#include "netdissect-stdinc.h"
+ #include "netdissect.h"
+ #include "interface.h"
+ #include "addrtoname.h"
+@@ -861,15 +862,22 @@ read_infile(char *fname)
+ {
+        register int i, fd, cc;
+        register char *cp;
+-       struct stat buf;
+       our_statb buf;
+ 
+        fd = open(fname, O_RDONLY|O_BINARY);
+        if (fd < 0)
+                error("can't open %s: %s", fname, pcap_strerror(errno));
+ 
+-       if (fstat(fd, &buf) < 0)
+       if (our_fstat(fd, &buf) < 0)
+                error("can't stat %s: %s", fname, pcap_strerror(errno));
+ 
+       /*
+        * Reject files whose size doesn't fit into an int; a filter
+        * *that* large will probably be too big.
+        */
+       if (buf.st_size > INT_MAX)
+               error("%s is too large", fname);
+
+        cp = malloc((u_int)buf.st_size + 1);
+        if (cp == NULL)
+                error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1,
+@@ -878,7 +886,8 @@ read_infile(char *fname)
+        if (cc < 0)
+                error("read %s: %s", fname, pcap_strerror(errno));
+        if (cc != buf.st_size)
+-               error("short read %s (%d != %d)", fname, cc, (int)buf.st_size);
+               error("short read %s (%d != %d)", fname, (int) cc,
+                   (int)buf.st_size);
+ 
+        close(fd);
+        /* replace "# comment" with spaces */
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
index 2ea493863a..66bf217751 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
    file://add-ptest.patch \
    file://run-ptest \
    file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
+    file://CVE-2018-16301.patch \
 "
 SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
author	Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>	2022-05-25 11:24:56 +0530
committer	Armin Kuster <akuster808@gmail.com>	2022-05-25 19:34:39 -0700
commit	deee226017877d51188e0a46f9e6b93c10ffbb34 (patch)
tree	1f6db1aa3d7ea2af7167dcb7d9eb58af42252862
parent	9f361cff9c73fdb532d3dde229633cc687424805 (diff)
download	meta-openembedded-deee226017877d51188e0a46f9e6b93c10ffbb34.tar.gz

diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch new file mode 100644 index 0000000000..5f5c68ccd6 --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
@@ -0,0 +1,111 @@
		1	From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Wed, 30 Sep 2020 11:37:30 -0700
		4	Subject: [PATCH] Handle very large -f files by rejecting them.
		5
		6	_read(), on Windows, has a 32-bit size argument and a 32-bit return
		7	value, so reject -f files that have more than 2^31-1 characters.
		8
		9	Add some #defines so that, on Windows, we use _fstati64 to get the size
		10	of that file, to handle large files.
		11
		12	Don't assume that our definition for ssize_t is the same size as size_t;
		13	by the time we want to print the return value of the read, we know it'll
		14	fit into an int, so just cast it to int and print it with %d.
		15
		16	(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77)
		17
		18	CVE: CVE-2022-25308
		19	Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86]
		20
		21	Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@kpit.com>
		22
		23	---
		24	netdissect-stdinc.h \| 16 +++++++++++++++-
		25	tcpdump.c \| 15 ++++++++++++---
		26	2 files changed, 27 insertions(+), 4 deletions(-)
		27
		28	diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h
		29	index 8282c5846..9941c2a16 100644
		30	--- a/netdissect-stdinc.h
		31	+++ b/netdissect-stdinc.h
		32	@@ -149,10 +149,17 @@
		33	#ifdef _MSC_VER
		34	#define stat _stat
		35	#define open _open
		36	-#define fstat _fstat
		37	#define read _read
		38	#define close _close
		39	#define O_RDONLY _O_RDONLY
		40	+
		41	+/*
		42	+ * We define our_fstat64 as _fstati64, and define our_statb as
		43	+ * struct _stati64, so we get 64-bit file sizes.
		44	+ */
		45	+#define our_fstat _fstati64
		46	+#define our_statb struct _stati64
		47	+
		48	#endif /* _MSC_VER */
		49
		50	/*
		51	@@ -211,6 +218,13 @@ typedef char* caddr_t;
		52
		53	#include <arpa/inet.h>
		54
		55	+/*
		56	+ * We should have large file support enabled, if it's available,
		57	+ * so just use fstat as our_fstat and struct stat as our_statb.
		58	+ */
		59	+#define our_fstat fstat
		60	+#define our_statb struct stat
		61	+
		62	#endif /* _WIN32 */
		63
		64	#ifndef HAVE___ATTRIBUTE__
		65	diff --git a/tcpdump.c b/tcpdump.c
		66	index 043bda1d7..8f27ba2a4 100644
		67	--- a/tcpdump.c
		68	+++ b/tcpdump.c
		69	@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n";
		70	#endif /* HAVE_CAP_NG_H */
		71	#endif /* HAVE_LIBCAP_NG */
		72
		73	+#include "netdissect-stdinc.h"
		74	#include "netdissect.h"
		75	#include "interface.h"
		76	#include "addrtoname.h"
		77	@@ -861,15 +862,22 @@ read_infile(char *fname)
		78	{
		79	register int i, fd, cc;
		80	register char *cp;
		81	- struct stat buf;
		82	+ our_statb buf;
		83
		84	fd = open(fname, O_RDONLY\|O_BINARY);
		85	if (fd < 0)
		86	error("can't open %s: %s", fname, pcap_strerror(errno));
		87
		88	- if (fstat(fd, &buf) < 0)
		89	+ if (our_fstat(fd, &buf) < 0)
		90	error("can't stat %s: %s", fname, pcap_strerror(errno));
		91
		92	+ /*
		93	+ * Reject files whose size doesn't fit into an int; a filter
		94	+ * that large will probably be too big.
		95	+ */
		96	+ if (buf.st_size > INT_MAX)
		97	+ error("%s is too large", fname);
		98	+
		99	cp = malloc((u_int)buf.st_size + 1);
		100	if (cp == NULL)
		101	error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1,
		102	@@ -878,7 +886,8 @@ read_infile(char *fname)
		103	if (cc < 0)
		104	error("read %s: %s", fname, pcap_strerror(errno));
		105	if (cc != buf.st_size)
		106	- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size);
		107	+ error("short read %s (%d != %d)", fname, (int) cc,
		108	+ (int)buf.st_size);
		109
		110	close(fd);
		111	/* replace "# comment" with spaces */


diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb index 2ea493863a..66bf217751 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
18	file://add-ptest.patch \	18	file://add-ptest.patch \
19	file://run-ptest \	19	file://run-ptest \
20	file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \	20	file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
		21	file://CVE-2018-16301.patch \
21	"	22	"
22		23
23	SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"	24	SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"