tcpdump: Patched for CVE-2024-2397

Change-Id: Ie02dfbe9b276221c3c3568991ac9f55ed6dd96d8 Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/c/photon/+/23614 Reviewed-by: Shreenidhi Shedi <shreenidhi.shedi@broadcom.com> Tested-by: gerrit-photon <photon-checkins@vmware.com>
2024-03-28 16:16:08 +05:30 · 2024-03-28 16:16:08 +05:30 · 5b060d1c4b
parent 510fde2e10
commit 5b060d1c4b
2 changed files with 134 additions and 2 deletions
--- a/SPECS/tcpdump/CVE-2024-2397.patch
+++ b/SPECS/tcpdump/CVE-2024-2397.patch
@ -0,0 +1,128 @@
+From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 12 Mar 2024 00:37:23 -0700
+Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer.
+
+This both saves the buffer for freeing later and saves the packet
+pointer and snapend to be restored when packet processing is complete,
+even if an exception is thrown with longjmp.
+
+This means that the hex/ASCII printing in pretty_print_packet()
+processes the packet data as captured or read from the savefile, rather
+than as modified by the PPP printer, so that the bounds checking is
+correct.
+
+That fixes CVE-2024-2397, which was caused by an exception being thrown
+by the hex/ASCII printer (which should only happen if those routines are
+called by a packet printer, not if they're called for the -X/-x/-A
+flag), which jumps back to the setjmp() that surrounds the packet
+printer.  Hilarity^Winfinite looping ensues.
+
+Also, restore ndo->ndo_packetp before calling the hex/ASCII printing
+routine, in case nd_pop_all_packet_info() didn't restore it.
+
+[kunitsh@vmware.com: ported fix to v4.99.4]
+Signed-off-by: Nitesh Kumar <nitesh-nk.kumar@broadcom.com>
+---
+ print-ppp.c | 31 +++++++++++++++++--------------
+ print.c     |  8 ++++++--
+ 2 files changed, 23 insertions(+), 16 deletions(-)
+
+diff --git a/print-ppp.c b/print-ppp.c
+index aba243d..eb13ddd 100644
+--- a/print-ppp.c
+++ b/print-ppp.c
+@@ -37,6 +37,8 @@
+ 
+ #include "netdissect-stdinc.h"
+ 
+#include <stdlib.h>
+
+ #ifdef __bsdi__
+ #include <net/slcompress.h>
+ #include <net/if_ppp.h>
+@@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo,
+ 	u_char *b, *t, c;
+ 	const u_char *s;
+ 	u_int i, proto;
+-	const void *sb, *se;
+ 
+ 	if (caplen == 0)
+ 		return;
+@@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo,
+         if (length == 0)
+                 return;
+ 
+-	b = (u_char *)nd_malloc(ndo, caplen);
+-	if (b == NULL)
+-		return;
+        b = (u_char *)malloc(caplen);
+        if (b == NULL) {
+                (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+                        "%s: malloc", __func__);
+        }
+ 
+ 	/*
+ 	 * Unescape all the data into a temporary, private, buffer.
+@@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo,
+ 	}
+ 
+ 	/*
+-	 * Change the end pointer, so bounds checks work.
+-	 * Change the pointer to packet data to help debugging.
+	 * Switch to the output buffer for dissection, and save it
+	 * on the buffer stack so it can be freed; our caller must
+	 * pop it when done.
+ 	 */
+-	sb = ndo->ndo_packetp;
+-	se = ndo->ndo_snapend;
+-	ndo->ndo_packetp = b;
+-	ndo->ndo_snapend = t;
+        if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) {
+                free(b);
+                (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
+                        "%s: can't push buffer on buffer stack", __func__);
+        }
+ 	length = ND_BYTES_AVAILABLE_AFTER(b);
+ 
+         /* now lets guess about the payload codepoint format */
+@@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo,
+         }
+ 
+ cleanup:
+-	ndo->ndo_packetp = sb;
+-	ndo->ndo_snapend = se;
+	nd_pop_packet_info(ndo);
+         return;
+ 
+ trunc:
+-	ndo->ndo_packetp = sb;
+-	ndo->ndo_snapend = se;
+	nd_pop_packet_info(ndo);
+ 	nd_print_trunc(ndo);
+ }
+ 
+diff --git a/print.c b/print.c
+index 9c0ab86..33706b9 100644
+--- a/print.c
+++ b/print.c
+@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h,
+ 	nd_pop_all_packet_info(ndo);
+ 
+ 	/*
+-	 * Restore the original snapend, as a printer might have
+-	 * changed it.
+	 * Restore the originals snapend and packetp, as a printer
+	 * might have changed them.
+	 *
+	 * XXX - nd_pop_all_packet_info() should have restored the
+	 * original values, but, just in case....
+ 	 */
+ 	ndo->ndo_snapend = sp + h->caplen;
+	ndo->ndo_packetp = sp;
+ 	if (ndo->ndo_Xflag) {
+ 		/*
+ 		 * Print the raw packet data in hex and ASCII.
+-- 
+2.34.1
+
--- a/SPECS/tcpdump/tcpdump.spec
+++ b/SPECS/tcpdump/tcpdump.spec
@ -1,7 +1,7 @@
 Summary:        Packet Analyzer
 Name:           tcpdump
 Version:        4.99.4
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 URL:            http://www.tcpdump.org
 Group:          Networking
@ -11,6 +11,8 @@ Distribution:   Photon
 Source0: http://www.tcpdump.org/release/%{name}-%{version}.tar.gz
 %define sha512 tcpdump=cb51e19574707d07c0de90dd4c301955897f2c9f2a69beb7162c08f59189f55625346d1602c8d66ab2b4c626ea4b0df1f08ed8734d2d7f536d0a7840c2d6d8df

+Patch0: CVE-2024-2397.patch
+
 BuildRequires: libpcap-devel

 Requires: libpcap
@ -21,7 +23,7 @@ It allows the user to display TCP/IP and other packets being
 transmitted or received over a network to which the computer is attached.

 %prep
-%autosetup
+%autosetup -p1

 %build
 %configure
@ -42,6 +44,8 @@ make %{?_smp_mflags} check
 %{_mandir}/man1/tcpdump.1.gz

 %changelog
+* Thu Mar 28 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 4.99.4-2
+- Patched for CVE-2024-2397
 * Thu May 18 2023 Nitesh Kumar <kunitesh@vmware.com> 4.99.4-1
 - Upgrade to v4.99.4 to fix CVE-2023-1801
 * Tue Apr 19 2022 Gerrit Photon <photon-checkins@vmware.com> 4.99.1-1