[meta-oe,kirkstone,1/3] iperf3: Fix CVE-2023-7250

Message ID	20250926114430.2425208-1-soumya.sambu@windriver.com
State	New
Headers	show Return-Path: <soumya.sambu@windriver.com> ip: 205.220.166.238, mailfrom: prvs=1364ba7040=soumya.sambu@windriver.com) From: ssambu <soumya.sambu@windriver.com> To: <openembedded-devel@lists.openembedded.org> Subject: [oe][meta-oe][kirkstone][PATCH 1/3] iperf3: Fix CVE-2023-7250 Date: Fri, 26 Sep 2025 17:14:28 +0530 Message-ID: <20250926114430.2425208-1-soumya.sambu@windriver.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	[meta-oe,kirkstone,1/3] iperf3: Fix CVE-2023-7250 \| expand [meta-oe,kirkstone,1/3] iperf3: Fix CVE-2023-7250 [meta-oe,kirkstone,2/3] iperf3: Fix CVE-2024-26306 [meta-oe,kirkstone,3/3] iperf3: Fix CVE-2024-53580

Message ID

20250926114430.2425208-1-soumya.sambu@windriver.com

State

New

Headers

From: ssambu <soumya.sambu@windriver.com>
To: <openembedded-devel@lists.openembedded.org>
Subject: [oe][meta-oe][kirkstone][PATCH 1/3] iperf3: Fix CVE-2023-7250
Date: Fri, 26 Sep 2025 17:14:28 +0530
Message-ID: <20250926114430.2425208-1-soumya.sambu@windriver.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

[meta-oe,kirkstone,1/3] iperf3: Fix CVE-2023-7250 | expand

Commit Message

ssambu Sept. 26, 2025, 11:44 a.m. UTC

From: Soumya Sambu <soumya.sambu@windriver.com>

A flaw was found in iperf, a utility for testing network performance using TCP, UDP,
and SCTP. A malicious or malfunctioning client can send less than the expected amount
of data to the iperf server, which can cause the server to hang indefinitely waiting
for the remainder or until the connection gets closed. This will prevent other
connections to the server, leading to a denial of service.

References:
https://nvd.nist.gov/vuln/detail/CVE-2023-7250
https://security-tracker.debian.org/tracker/CVE-2023-7250

Upstream patch:
https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4

Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
---
 .../iperf3/iperf3/CVE-2023-7250.patch         | 133 ++++++++++++++++++
 .../recipes-benchmark/iperf3/iperf3_3.14.bb   |   1 +
 2 files changed, 134 insertions(+)
 create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch

diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch
new file mode 100644
index 0000000000..6000480de7
--- /dev/null
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch
@@ -0,0 +1,133 @@ 
+From 5e3704dd850a5df2fb2b3eafd117963d017d07b4 Mon Sep 17 00:00:00 2001
+From: "Bruce A. Mah" <bmah@es.net>
+Date: Tue, 1 Aug 2023 14:02:54 -0700
+Subject: [PATCH] Implement fixes to make the control connection more robust.
+
+These include various timeouts in Nread() to guarantee that it will
+eventually exit, a 10-second timeout for each attempt to read data
+from the network and an approximately 30-second overall timeout per
+Nread() call.
+
+Also the iperf3 server now checks the length of the received session
+cookie, and errors out if this happens to be incorrect.
+
+Reported by Jorge Sancho Larraz - Canonical.
+
+CVE: CVE-2023-7250
+
+Upstream-Status: Backport [https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4]
+
+Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
+---
+ src/iperf_server_api.c |  7 ++++-
+ src/net.c              | 62 ++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/src/iperf_server_api.c b/src/iperf_server_api.c
+index 18f105d..ae916f5 100644
+--- a/src/iperf_server_api.c
++++ b/src/iperf_server_api.c
+@@ -140,7 +140,12 @@ iperf_accept(struct iperf_test *test)
+         }
+ #endif /* HAVE_TCP_USER_TIMEOUT */
+ 
+-        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) {
++        if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) != COOKIE_SIZE) {
++            /*
++             * Note this error covers both the case of a system error
++             * or the inability to read the correct amount of data
++             * (i.e. timed out).
++             */
+             i_errno = IERECVCOOKIE;
+             return -1;
+         }
+diff --git a/src/net.c b/src/net.c
+index 1a88155..b80fb64 100644
+--- a/src/net.c
++++ b/src/net.c
+@@ -65,6 +65,9 @@
+ #include "net.h"
+ #include "timer.h"
+ 
++static int nread_read_timeout = 10;
++static int nread_overall_timeout = 30;
++
+ /*
+  * Declaration of gerror in iperf_error.c.  Most other files in iperf3 can get this
+  * by including "iperf.h", but net.c lives "below" this layer.  Clearly the
+@@ -372,6 +375,32 @@ Nread(int fd, char *buf, size_t count, int prot)
+ {
+     register ssize_t r;
+     register size_t nleft = count;
++    struct iperf_time ftimeout = { 0, 0 };
++
++    fd_set rfdset;
++    struct timeval timeout = { nread_read_timeout, 0 };
++
++    /*
++     * fd might not be ready for reading on entry. Check for this
++     * (with timeout) first.
++     *
++     * This check could go inside the while() loop below, except we're
++     * currently considering whether it might make sense to support a
++     * codepath that bypassese this check, for situations where we
++     * already know that fd has data on it (for example if we'd gotten
++     * to here as the result of a select() call.
++     */
++    {
++        FD_ZERO(&rfdset);
++        FD_SET(fd, &rfdset);
++        r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
++        if (r < 0) {
++            return NET_HARDERROR;
++        }
++        if (r == 0) {
++            return 0;
++        }
++    }
+ 
+     while (nleft > 0) {
+         r = read(fd, buf, nleft);
+@@ -385,6 +414,39 @@ Nread(int fd, char *buf, size_t count, int prot)
+ 
+         nleft -= r;
+         buf += r;
++
++        /*
++         * We need some more bytes but don't want to wait around
++         * forever for them. In the case of partial results, we need
++         * to be able to read some bytes every nread_timeout seconds.
++         */
++        if (nleft > 0) {
++            struct iperf_time now;
++
++            /*
++             * Also, we have an approximate upper limit for the total time
++             * that a Nread call is supposed to take. We trade off accuracy
++             * of this timeout for a hopefully lower performance impact.
++             */
++            iperf_time_now(&now);
++            if (ftimeout.secs == 0) {
++                ftimeout = now;
++                iperf_time_add_usecs(&ftimeout, nread_overall_timeout * 1000000L);
++            }
++            if (iperf_time_compare(&ftimeout, &now) < 0) {
++                break;
++            }
++
++            FD_ZERO(&rfdset);
++            FD_SET(fd, &rfdset);
++            r = select(fd + 1, &rfdset, NULL, NULL, &timeout);
++            if (r < 0) {
++                return NET_HARDERROR;
++            }
++            if (r == 0) {
++                break;
++            }
++        }
+     }
+     return count - nleft;
+ }
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
index d181eb3b02..8961628792 100644
--- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
+++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb
@@ -16,6 +16,7 @@  LIC_FILES_CHKSUM = "file://LICENSE;md5=dc6301c8256ceb8f71c9e3c2ae9096b9"
 SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \
            file://0002-Remove-pg-from-profile_CFLAGS.patch \
            file://0001-configure.ac-check-for-CPP-prog.patch \
+           file://CVE-2023-7250.patch \
            "
 
 SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d"

[meta-oe,kirkstone,1/3] iperf3: Fix CVE-2023-7250

Commit Message

Patch