1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From a6052dca1e27f3c8f96ec7be0fe7514c56a0d56f Mon Sep 17 00:00:00 2001
From: Victor Julien <vjulien@oisf.net>
Date: Tue, 4 Jun 2024 14:43:22 +0200
Subject: [PATCH 1/4] defrag: don't use completed tracker
When a Tracker is set up for a IPID, frags come in for it and it's
reassembled and complete, the `DefragTracker::remove` flag is set. This
is mean to tell the hash cleanup code to recyle the tracker and to let
the lookup code skip the tracker during lookup.
A logic error lead to the following scenario:
1. there are sufficient frag trackers to make sure the hash table is
filled with trackers
2. frags for a Packet with IPID X are processed correctly (X1)
3. frags for a new Packet that also has IPID X come in quickly after the
first (X2).
4. during the lookup, the frag for X2 hashes to a hash row that holds
more than one tracker
5. as the trackers in hash row are evaluated, it finds the tracker for
X1, but since the `remove` bit is not checked, it is returned as the
tracker for X2.
6. reassembly fails, as the tracker is already complete
The logic error is that only for the first tracker in a row the `remove`
bit was checked, leading to reuse to a closed tracker if there were more
trackers in the hash row.
Ticket: #7042.
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b]
CVE: CVE-2024-37151
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
---
src/defrag-hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/defrag-hash.c b/src/defrag-hash.c
index 2f19ce2..87d40f9 100644
--- a/src/defrag-hash.c
+++ b/src/defrag-hash.c
@@ -591,7 +591,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p)
return dt;
}
- if (DefragTrackerCompare(dt, p) != 0) {
+ if (!dt->remove && DefragTrackerCompare(dt, p) != 0) {
/* we found our tracker, lets put it on top of the
* hash list -- this rewards active trackers */
if (dt->hnext) {
--
2.44.0
|
