diff mbox series

[meta-oe,scarthgap,2/2] tcpreplay: fix CVE-2024-22654

Message ID 20250602155126.1197444-2-archana.polampalli@windriver.com
State New
Headers show
Series [meta-oe,scarthgap,1/2] tftpy: fix CVE-2023-46566 | expand

Commit Message

Polampalli, Archana June 2, 2025, 3:51 p.m. UTC 
From: Archana Polampalli <archana.polampalli@windriver.com>

tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c.

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../tcpreplay/CVE-2024-22654-0002.patch       | 35 +++++++++++++++++++
 .../tcpreplay/tcpreplay_4.4.4.bb              |  2 ++
 2 files changed, 37 insertions(+)
 create mode 100644 meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch

Comments

Gyorgy Sarvari June 2, 2025, 3:58 p.m. UTC | #1 
On 6/2/25 17:51, Polampalli, Archana via lists.openembedded.org wrote:
> ---
>  .../tcpreplay/CVE-2024-22654-0002.patch       | 35 +++++++++++++++++++
>  .../tcpreplay/tcpreplay_4.4.4.bb              |  2 ++
>  2 files changed, 37 insertions(+)
<snip>
> @@ -13,6 +13,8 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
>      file://0001-configure.ac-do-not-run-conftest-in-case-of-cross-co.patch \
>      file://CVE-2023-4256.patch \
>      file://CVE-2023-43279.patch \
> +    file://CVE-2024-22654-0001.patch \
> +    file://CVE-2024-22654-0002.patch \
>  "
Looks like the first part (CVE-2024-22654-0001.patch) was left out of
the patch.
diff mbox series

Patch

diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
new file mode 100644
index 0000000000..bcf560c0e5
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
@@ -0,0 +1,35 @@ 
+From 52ed63329b37ae83cb86504db2c9deb6a91e2fe9 Mon Sep 17 00:00:00 2001
+From: Gabriel Ganne <gabriel.ganne@gmail.com>
+Date: Sun, 21 Jan 2024 08:59:10 +0100
+Subject: [PATCH 2/2] ipv6 - add check for extension header length
+
+Fixes #827
+
+Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
+
+CVE: CVE-2024-22654
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/52ed63329b37ae83cb86504db2c9deb6a91e2fe9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/common/get.c b/src/common/get.c
+index 89fe95b..c31de5d 100644
+--- a/src/common/get.c
++++ b/src/common/get.c
+@@ -676,6 +676,10 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr)
+     case TCPR_IPV6_NH_HBH:
+     case TCPR_IPV6_NH_AH:
+         extlen = IPV6_EXTLEN_TO_BYTES(exthdr->ip_len);
++        if (extlen == 0) {
++            dbg(3, "Malformed IPv6 extension header...");
++            return NULL;
++        }
+         dbgx(3,
+              "Looks like we're an ext header (0x%hhx).  Jumping %u bytes"
+              " to the next",
+--
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index 03a6cfdba5..a784190868 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -13,6 +13,8 @@  SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
     file://0001-configure.ac-do-not-run-conftest-in-case-of-cross-co.patch \
     file://CVE-2023-4256.patch \
     file://CVE-2023-43279.patch \
+    file://CVE-2024-22654-0001.patch \
+    file://CVE-2024-22654-0002.patch \
 "
 
 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"