2 files changed, 130 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch
new file mode 100644
index 0000000000..69348030bb
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch
@@ -0,0 +1,129 @@
+From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 12 Mar 2024 00:37:23 -0700
+Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer.
+This both saves the buffer for freeing later and saves the packet
+pointer and snapend to be restored when packet processing is complete,
+even if an exception is thrown with longjmp.
+This means that the hex/ASCII printing in pretty_print_packet()
+processes the packet data as captured or read from the savefile, rather
+than as modified by the PPP printer, so that the bounds checking is
+correct.
+That fixes CVE-2024-2397, which was caused by an exception being thrown
+by the hex/ASCII printer (which should only happen if those routines are
+called by a packet printer, not if they're called for the -X/-x/-A
+flag), which jumps back to the setjmp() that surrounds the packet
+printer.  Hilarity^Winfinite looping ensues.
+Also, restore ndo->ndo_packetp before calling the hex/ASCII printing
+routine, in case nd_pop_all_packet_info() didn't restore it.
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2]
+CVE: CVE-2024-2397
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ print-ppp.c | 31 +++++++++++++++++--------------
+ print.c     |  8 ++++++--
+ 2 files changed, 23 insertions(+), 16 deletions(-)
+diff --git a/print-ppp.c b/print-ppp.c
+index aba243d..e5ae064 100644
+--- a/print-ppp.c
+++ b/print-ppp.c
+@@ -42,6 +42,8 @@
+ #include <net/if_ppp.h>
+ #endif
+ 
+#include <stdlib.h>
+
+ #include "netdissect.h"
+ #include "extract.h"
+ #include "addrtoname.h"
+@@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo,
+        u_char *b, *t, c;
+        const u_char *s;
+        u_int i, proto;
+-       const void *sb, *se;
+ 
+        if (caplen == 0)
+                return;
+@@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo,
+         if (length == 0)
+                 return;
+ 
+-       b = (u_char *)nd_malloc(ndo, caplen);
+-       if (b == NULL)
+-               return;
+       b = (u_char *)malloc(caplen);
+       if (b == NULL) {
+               (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+                       "%s: malloc", __func__);
+       }
+ 
+        /*
+         * Unescape all the data into a temporary, private, buffer.
+@@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo,
+        }
+ 
+        /*
+-        * Change the end pointer, so bounds checks work.
+-        * Change the pointer to packet data to help debugging.
+        * Switch to the output buffer for dissection, and save it
+        * on the buffer stack so it can be freed; our caller must
+        * pop it when done.
+         */
+-       sb = ndo->ndo_packetp;
+-       se = ndo->ndo_snapend;
+-       ndo->ndo_packetp = b;
+-       ndo->ndo_snapend = t;
+       if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) {
+               free(b);
+               (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+                       "%s: can't push buffer on buffer stack", __func__);
+       }
+        length = ND_BYTES_AVAILABLE_AFTER(b);
+ 
+         /* now lets guess about the payload codepoint format */
+@@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo,
+         }
+ 
+ cleanup:
+-       ndo->ndo_packetp = sb;
+-       ndo->ndo_snapend = se;
+       nd_pop_packet_info(ndo);
+         return;
+ 
+ trunc:
+-       ndo->ndo_packetp = sb;
+-       ndo->ndo_snapend = se;
+       nd_pop_packet_info(ndo);
+        nd_print_trunc(ndo);
+ }
+ 
+diff --git a/print.c b/print.c
+index 9c0ab86..33706b9 100644
+--- a/print.c
+++ b/print.c
+@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h,
+        nd_pop_all_packet_info(ndo);
+ 
+        /*
+-        * Restore the original snapend, as a printer might have
+-        * changed it.
+        * Restore the originals snapend and packetp, as a printer
+        * might have changed them.
+        *
+        * XXX - nd_pop_all_packet_info() should have restored the
+        * original values, but, just in case....
+         */
+        ndo->ndo_snapend = sp + h->caplen;
+       ndo->ndo_packetp = sp;
+        if (ndo->ndo_Xflag) {
+                /*
+                 * Print the raw packet data in hex and ASCII.
+-- 
+2.25.1
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb
index 803a9bb5f5..b05b832dd8 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
    http://www.tcpdump.org/release/${BP}.tar.gz \
    file://add-ptest.patch \
    file://run-ptest \
+    file://CVE-2024-2397.patch \
 "
 SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea"

diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch new file mode 100644 index 0000000000..69348030bb --- /dev/null +++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2024-2397.patch
@@ -0,0 +1,129 @@
		1	From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001
		2	From: Guy Harris <gharris@sonic.net>
		3	Date: Tue, 12 Mar 2024 00:37:23 -0700
		4	Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer.
		5
		6	This both saves the buffer for freeing later and saves the packet
		7	pointer and snapend to be restored when packet processing is complete,
		8	even if an exception is thrown with longjmp.
		9
		10	This means that the hex/ASCII printing in pretty_print_packet()
		11	processes the packet data as captured or read from the savefile, rather
		12	than as modified by the PPP printer, so that the bounds checking is
		13	correct.
		14
		15	That fixes CVE-2024-2397, which was caused by an exception being thrown
		16	by the hex/ASCII printer (which should only happen if those routines are
		17	called by a packet printer, not if they're called for the -X/-x/-A
		18	flag), which jumps back to the setjmp() that surrounds the packet
		19	printer. Hilarity^Winfinite looping ensues.
		20
		21	Also, restore ndo->ndo_packetp before calling the hex/ASCII printing
		22	routine, in case nd_pop_all_packet_info() didn't restore it.
		23
		24	Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2]
		25	CVE: CVE-2024-2397
		26	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		27	---
		28	print-ppp.c \| 31 +++++++++++++++++--------------
		29	print.c \| 8 ++++++--
		30	2 files changed, 23 insertions(+), 16 deletions(-)
		31
		32	diff --git a/print-ppp.c b/print-ppp.c
		33	index aba243d..e5ae064 100644
		34	--- a/print-ppp.c
		35	+++ b/print-ppp.c
		36	@@ -42,6 +42,8 @@
		37	#include <net/if_ppp.h>
		38	#endif
		39
		40	+#include <stdlib.h>
		41	+
		42	#include "netdissect.h"
		43	#include "extract.h"
		44	#include "addrtoname.h"
		45	@@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo,
		46	u_char b, t, c;
		47	const u_char *s;
		48	u_int i, proto;
		49	- const void sb, se;
		50
		51	if (caplen == 0)
		52	return;
		53	@@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo,
		54	if (length == 0)
		55	return;
		56
		57	- b = (u_char *)nd_malloc(ndo, caplen);
		58	- if (b == NULL)
		59	- return;
		60	+ b = (u_char *)malloc(caplen);
		61	+ if (b == NULL) {
		62	+ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
		63	+ "%s: malloc", __func__);
		64	+ }
		65
		66	/*
		67	* Unescape all the data into a temporary, private, buffer.
		68	@@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo,
		69	}
		70
		71	/*
		72	- * Change the end pointer, so bounds checks work.
		73	- * Change the pointer to packet data to help debugging.
		74	+ * Switch to the output buffer for dissection, and save it
		75	+ * on the buffer stack so it can be freed; our caller must
		76	+ * pop it when done.
		77	*/
		78	- sb = ndo->ndo_packetp;
		79	- se = ndo->ndo_snapend;
		80	- ndo->ndo_packetp = b;
		81	- ndo->ndo_snapend = t;
		82	+ if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) {
		83	+ free(b);
		84	+ (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
		85	+ "%s: can't push buffer on buffer stack", __func__);
		86	+ }
		87	length = ND_BYTES_AVAILABLE_AFTER(b);
		88
		89	/* now lets guess about the payload codepoint format */
		90	@@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo,
		91	}
		92
		93	cleanup:
		94	- ndo->ndo_packetp = sb;
		95	- ndo->ndo_snapend = se;
		96	+ nd_pop_packet_info(ndo);
		97	return;
		98
		99	trunc:
		100	- ndo->ndo_packetp = sb;
		101	- ndo->ndo_snapend = se;
		102	+ nd_pop_packet_info(ndo);
		103	nd_print_trunc(ndo);
		104	}
		105
		106	diff --git a/print.c b/print.c
		107	index 9c0ab86..33706b9 100644
		108	--- a/print.c
		109	+++ b/print.c
		110	@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options ndo, const struct pcap_pkthdr h,
		111	nd_pop_all_packet_info(ndo);
		112
		113	/*
		114	- * Restore the original snapend, as a printer might have
		115	- * changed it.
		116	+ * Restore the originals snapend and packetp, as a printer
		117	+ * might have changed them.
		118	+ *
		119	+ * XXX - nd_pop_all_packet_info() should have restored the
		120	+ * original values, but, just in case....
		121	*/
		122	ndo->ndo_snapend = sp + h->caplen;
		123	+ ndo->ndo_packetp = sp;
		124	if (ndo->ndo_Xflag) {
		125	/*
		126	* Print the raw packet data in hex and ASCII.
		127	--
		128	2.25.1
		129


diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb index 803a9bb5f5..b05b832dd8 100644 --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.99.4.bb
@@ -24,6 +24,7 @@ SRC_URI = " \
24	http://www.tcpdump.org/release/${BP}.tar.gz \	24	http://www.tcpdump.org/release/${BP}.tar.gz \
25	file://add-ptest.patch \	25	file://add-ptest.patch \
26	file://run-ptest \	26	file://run-ptest \
		27	file://CVE-2024-2397.patch \
27	"	28	"
28		29
29	SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea"	30	SRC_URI[sha256sum] = "0232231bb2f29d6bf2426e70a08a7e0c63a0d59a9b44863b7f5e2357a6e49fea"