[meta-oe,scarthgap,V2,1/1] tcpreplay: fix CVE-2024-22654

diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
new file mode 100644
index 0000000000..26dedba8d4
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
@@ -0,0 +1,90 @@ 
+From 5b5644356693f5c68dd4295e86f24f1d0a515d60 Mon Sep 17 00:00:00 2001
+From: Fred Klassen <fred.klassen@broadcom.com>
+Date: Sat, 1 Jun 2024 11:46:10 -0700
+Subject: [PATCH 1/2] Bug #827 PR# 842: add check for IPv6 extension header
+ length
+
+CVE: CVE-2024-22654
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/5b5644356693f5c68dd4295e86f24f1d0a515d60]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/common/get.c b/src/common/get.c
+index 2d91116..89fe95b 100644
+--- a/src/common/get.c
++++ b/src/common/get.c
+@@ -41,8 +41,8 @@ extern const char pcap_version[];
+ static void *get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr);
+ 
+ /**
+- * Depending on what version of libpcap/WinPcap there are different ways to get
+- * the version of the libpcap/WinPcap library.  This presents a unified way to
++ * Depending on what version of libpcap there are different ways to get
++ * the version of the libpcap library.  This presents a unified way to
+  * get that information.
+  */
+ const char *
+@@ -196,8 +196,15 @@ parse_metadata(const u_char *pktdata,
+                uint32_t *vlan_offset)
+ {
+     bool done = false;
+-    int res = 0;
+-    while (!done && res == 0) {
++    assert(next_protocol);
++    assert(l2len);
++    assert(l2offset);
++    assert(vlan_offset);
++
++    if (!pktdata || !datalen)
++        errx(-1, "parse_metadata: invalid L2 parameters: pktdata=0x%p len=%d", pktdata, datalen);
++
++    while (!done) {
+         switch (*next_protocol) {
+         case ETHERTYPE_VLAN:
+         case ETHERTYPE_Q_IN_Q:
+@@ -205,18 +212,22 @@ parse_metadata(const u_char *pktdata,
+             if (*vlan_offset == 0)
+                 *vlan_offset = *l2len;
+ 
+-            res = parse_vlan(pktdata, datalen, next_protocol, l2len);
++            if (parse_vlan(pktdata, datalen, next_protocol, l2len))
++                return -1;
++
+             break;
+         case ETHERTYPE_MPLS:
+         case ETHERTYPE_MPLS_MULTI:
+-            res = parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset);
++            if (parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset))
++                return -1;
++
+             break;
+         default:
+             done = true;
+         }
+     }
+ 
+-    return res;
++    return 0;
+ }
+ 
+ /*
+@@ -605,9 +616,11 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, const u_char *end_ptr)
+          * no further processing, either TCP, UDP, ICMP, etc...
+          */
+         default:
+-            if (proto != ip6_hdr->ip_nh) {
++            if (proto != ip6_hdr->ip_nh && next) {
+                 dbgx(3, "Returning byte offset of this ext header: %u", IPV6_EXTLEN_TO_BYTES(next->ip_len));
+                 next = (void *)((u_char *)next + IPV6_EXTLEN_TO_BYTES(next->ip_len));
++                if ((u_char*)next > end_ptr)
++                    return NULL;
+             } else {
+                 dbgx(3, "%s", "Returning end of IPv6 Header");
+             }
+-- 
+2.40.0
+
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
new file mode 100644
index 0000000000..bcf560c0e5
--- /dev/null
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
@@ -0,0 +1,35 @@ 
+From 52ed63329b37ae83cb86504db2c9deb6a91e2fe9 Mon Sep 17 00:00:00 2001
+From: Gabriel Ganne <gabriel.ganne@gmail.com>
+Date: Sun, 21 Jan 2024 08:59:10 +0100
+Subject: [PATCH 2/2] ipv6 - add check for extension header length
+
+Fixes #827
+
+Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
+
+CVE: CVE-2024-22654
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/52ed63329b37ae83cb86504db2c9deb6a91e2fe9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/common/get.c b/src/common/get.c
+index 89fe95b..c31de5d 100644
+--- a/src/common/get.c
++++ b/src/common/get.c
+@@ -676,6 +676,10 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr)
+     case TCPR_IPV6_NH_HBH:
+     case TCPR_IPV6_NH_AH:
+         extlen = IPV6_EXTLEN_TO_BYTES(exthdr->ip_len);
++        if (extlen == 0) {
++            dbg(3, "Malformed IPv6 extension header...");
++            return NULL;
++        }
+         dbgx(3,
+              "Looks like we're an ext header (0x%hhx).  Jumping %u bytes"
+              " to the next",
+--
+2.40.0
diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
index 03a6cfdba5..a784190868 100644
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@@ -13,6 +13,8 @@  SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
     file://0001-configure.ac-do-not-run-conftest-in-case-of-cross-co.patch \
     file://CVE-2023-4256.patch \
     file://CVE-2023-43279.patch \
+    file://CVE-2024-22654-0001.patch \
+    file://CVE-2024-22654-0002.patch \
 "
 
 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"