From patchwork Fri Sep 26 11:44:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 71083 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A45CCAC5B9 for ; Fri, 26 Sep 2025 11:44:41 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.15373.1758887080934080499 for ; Fri, 26 Sep 2025 04:44:40 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=rI+U6CTd; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=1364ba7040=soumya.sambu@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58QB9lSX1379348 for ; Fri, 26 Sep 2025 04:44:40 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=dOARXScmdFHJn4GIcIV/ uMqANVJ7S8k/NojfQItyN9s=; b=rI+U6CTdhSPdCiCimwK7ZdUCVsdqeN2XUsKt Oege19g/UvjeLWh/leqnSJG3AkvjBNnvU2JNNlZHb2DINQAZzZlfxV8pDxSmzyMR mCsQno3OBoeIjgQwvG6Un2SsMPjWhmlNUt4W9mzgMA4NqyJeSTVHgWh5xig71YX2 HDm17aOP2Rh7WXfbLNTmda++YGWlGUKRyLEsD5hzdEt2NmsWstpnjy6aNy0qNxLf sZ0gXGRJzV3Ym+AsWGSTabTaOR4B0zwSX/KCeSEB/E3zlYu7dW+C7gVGJCEDpTTr 8M6cji47nM8x3FxjYiNATIKGE/k/CztycNnKgGH3+RRN2ctMvQ== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49dbse0r7b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 26 Sep 2025 04:44:39 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.59; Fri, 26 Sep 2025 04:44:39 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.59 via Frontend Transport; Fri, 26 Sep 2025 04:44:38 -0700 From: ssambu To: Subject: [oe][meta-oe][kirkstone][PATCH 1/3] iperf3: Fix CVE-2023-7250 Date: Fri, 26 Sep 2025 17:14:28 +0530 Message-ID: <20250926114430.2425208-1-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 X-Proofpoint-GUID: LHJ3sR1KKsNKUYK7yZqQBtCm_5WkrO61 X-Authority-Analysis: v=2.4 cv=NanrFmD4 c=1 sm=1 tr=0 ts=68d67ca7 cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=yJojWOMRYYMA:10 a=PYnjg3YJAAAA:8 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=vtXoPY2jAAAA:8 a=leH7VdtcYazS_2BtDtsA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=s4FxMMpuSwg4a78zj2vJ:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTI2MDEwOCBTYWx0ZWRfX/ganWLd8tMtN t3DFmN6gPSonh6x1yOxQVc2mc12Z7I+ngfz6jFRkdktDtZnuoNp8Zcij9xSUep+Q+Ot+NA8jSKD hC4sg1AUsV0zH/CGMq3a1l3MbTXFnZcXxt/KBCG1OnHc35OeKcscvEh7RkV/2ElxnzWlnyuEPLm mitLqFNElmT/5UEU5aVEwT+2w/Rv0nJ1uQxrr6+3qvrY8nisbP24CmoCX+4jsOiFFyqEytqyQ7Q 2q49j71SHrQx4DUaOkfg9WhkHiu5K/11kuil3simSmq7YR4b355MqHfvNYSyVmg1YVrC42qSMuc Ww7MtBBrT53nJ+fD9WSPBhfIU8KkVz2M5FCj7C1Przfr2o4Q7xv2nsMftRGfVgLhfHuPbgF/wO+ 9wwsRRzvHfUFxrqG3pULHLn1K4WZxQ== X-Proofpoint-ORIG-GUID: LHJ3sR1KKsNKUYK7yZqQBtCm_5WkrO61 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-26_03,2025-09-26_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 bulkscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2509150000 definitions=main-2509260108 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Sep 2025 11:44:41 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/119906 From: Soumya Sambu A flaw was found in iperf, a utility for testing network performance using TCP, UDP, and SCTP. A malicious or malfunctioning client can send less than the expected amount of data to the iperf server, which can cause the server to hang indefinitely waiting for the remainder or until the connection gets closed. This will prevent other connections to the server, leading to a denial of service. References: https://nvd.nist.gov/vuln/detail/CVE-2023-7250 https://security-tracker.debian.org/tracker/CVE-2023-7250 Upstream patch: https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4 Signed-off-by: Soumya Sambu --- .../iperf3/iperf3/CVE-2023-7250.patch | 133 ++++++++++++++++++ .../recipes-benchmark/iperf3/iperf3_3.14.bb | 1 + 2 files changed, 134 insertions(+) create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch new file mode 100644 index 0000000000..6000480de7 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2023-7250.patch @@ -0,0 +1,133 @@ +From 5e3704dd850a5df2fb2b3eafd117963d017d07b4 Mon Sep 17 00:00:00 2001 +From: "Bruce A. Mah" +Date: Tue, 1 Aug 2023 14:02:54 -0700 +Subject: [PATCH] Implement fixes to make the control connection more robust. + +These include various timeouts in Nread() to guarantee that it will +eventually exit, a 10-second timeout for each attempt to read data +from the network and an approximately 30-second overall timeout per +Nread() call. + +Also the iperf3 server now checks the length of the received session +cookie, and errors out if this happens to be incorrect. + +Reported by Jorge Sancho Larraz - Canonical. + +CVE: CVE-2023-7250 + +Upstream-Status: Backport [https://github.com/esnet/iperf/commit/5e3704dd850a5df2fb2b3eafd117963d017d07b4] + +Signed-off-by: Soumya Sambu +--- + src/iperf_server_api.c | 7 ++++- + src/net.c | 62 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 68 insertions(+), 1 deletion(-) + +diff --git a/src/iperf_server_api.c b/src/iperf_server_api.c +index 18f105d..ae916f5 100644 +--- a/src/iperf_server_api.c ++++ b/src/iperf_server_api.c +@@ -140,7 +140,12 @@ iperf_accept(struct iperf_test *test) + } + #endif /* HAVE_TCP_USER_TIMEOUT */ + +- if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) < 0) { ++ if (Nread(test->ctrl_sck, test->cookie, COOKIE_SIZE, Ptcp) != COOKIE_SIZE) { ++ /* ++ * Note this error covers both the case of a system error ++ * or the inability to read the correct amount of data ++ * (i.e. timed out). ++ */ + i_errno = IERECVCOOKIE; + return -1; + } +diff --git a/src/net.c b/src/net.c +index 1a88155..b80fb64 100644 +--- a/src/net.c ++++ b/src/net.c +@@ -65,6 +65,9 @@ + #include "net.h" + #include "timer.h" + ++static int nread_read_timeout = 10; ++static int nread_overall_timeout = 30; ++ + /* + * Declaration of gerror in iperf_error.c. Most other files in iperf3 can get this + * by including "iperf.h", but net.c lives "below" this layer. Clearly the +@@ -372,6 +375,32 @@ Nread(int fd, char *buf, size_t count, int prot) + { + register ssize_t r; + register size_t nleft = count; ++ struct iperf_time ftimeout = { 0, 0 }; ++ ++ fd_set rfdset; ++ struct timeval timeout = { nread_read_timeout, 0 }; ++ ++ /* ++ * fd might not be ready for reading on entry. Check for this ++ * (with timeout) first. ++ * ++ * This check could go inside the while() loop below, except we're ++ * currently considering whether it might make sense to support a ++ * codepath that bypassese this check, for situations where we ++ * already know that fd has data on it (for example if we'd gotten ++ * to here as the result of a select() call. ++ */ ++ { ++ FD_ZERO(&rfdset); ++ FD_SET(fd, &rfdset); ++ r = select(fd + 1, &rfdset, NULL, NULL, &timeout); ++ if (r < 0) { ++ return NET_HARDERROR; ++ } ++ if (r == 0) { ++ return 0; ++ } ++ } + + while (nleft > 0) { + r = read(fd, buf, nleft); +@@ -385,6 +414,39 @@ Nread(int fd, char *buf, size_t count, int prot) + + nleft -= r; + buf += r; ++ ++ /* ++ * We need some more bytes but don't want to wait around ++ * forever for them. In the case of partial results, we need ++ * to be able to read some bytes every nread_timeout seconds. ++ */ ++ if (nleft > 0) { ++ struct iperf_time now; ++ ++ /* ++ * Also, we have an approximate upper limit for the total time ++ * that a Nread call is supposed to take. We trade off accuracy ++ * of this timeout for a hopefully lower performance impact. ++ */ ++ iperf_time_now(&now); ++ if (ftimeout.secs == 0) { ++ ftimeout = now; ++ iperf_time_add_usecs(&ftimeout, nread_overall_timeout * 1000000L); ++ } ++ if (iperf_time_compare(&ftimeout, &now) < 0) { ++ break; ++ } ++ ++ FD_ZERO(&rfdset); ++ FD_SET(fd, &rfdset); ++ r = select(fd + 1, &rfdset, NULL, NULL, &timeout); ++ if (r < 0) { ++ return NET_HARDERROR; ++ } ++ if (r == 0) { ++ break; ++ } ++ } + } + return count - nleft; + } +-- +2.40.0 + diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb index d181eb3b02..8961628792 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb @@ -16,6 +16,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=dc6301c8256ceb8f71c9e3c2ae9096b9" SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ file://0001-configure.ac-check-for-CPP-prog.patch \ + file://CVE-2023-7250.patch \ " SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d" From patchwork Fri Sep 26 11:44:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 71084 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 378BACAC5AE for ; Fri, 26 Sep 2025 11:44:51 +0000 (UTC) Received: from mx0b-0064b401.pphosted.com (mx0b-0064b401.pphosted.com [205.220.178.238]) by mx.groups.io with SMTP id smtpd.web11.15376.1758887083933743658 for ; Fri, 26 Sep 2025 04:44:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=elJgjhhj; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.178.238, mailfrom: prvs=1364ba7040=soumya.sambu@windriver.com) Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58QBR2Fv1759272 for ; Fri, 26 Sep 2025 11:44:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=IucV6QrgbRFjvHh7X8jZhTSi4fwZoYJ97Ut092JDdMg=; b=elJgjhhj3+1j niDD7F9QoC92op4PSYu9ys3+XGcPClsRFgVg5V4kl+qj94UHe3+9g15MBXnMmVXl YzKl/LF4Jyt6SXJbp9/LIBMtVhopAZn3lgFm6tud0O/PkJrepLvgGgoUXO0w40gA aZrn2zUGRMXT+YbCqCIAbICowg1BLaYAMX/N0tJCuMpEjkYlvjQfUjcCEpNO/4GI o4EcIiTlGvBI5MWYEYXftSOEf8AoYWytgW9c4trWXDaa3RpA1EsJ08PMVJgc1Njn Bu4B1tKClBbT2GJJfx5GkrAIP+kjGG9ANUOAKnPvH6F2zBnMPZhzUpQcFFMf/2hi LbiZK48NEg== Received: from ala-exchng02.corp.ad.wrs.com ([128.224.246.37]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49dbsh8qsp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 26 Sep 2025 11:44:42 +0000 (GMT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ALA-EXCHNG02.corp.ad.wrs.com (10.11.224.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.59; Fri, 26 Sep 2025 04:44:41 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.59 via Frontend Transport; Fri, 26 Sep 2025 04:44:40 -0700 From: ssambu To: Subject: [oe][meta-oe][kirkstone][PATCH 2/3] iperf3: Fix CVE-2024-26306 Date: Fri, 26 Sep 2025 17:14:29 +0530 Message-ID: <20250926114430.2425208-2-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250926114430.2425208-1-soumya.sambu@windriver.com> References: <20250926114430.2425208-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTI2MDEwOCBTYWx0ZWRfXzEBCBHZTu4sM o5wUV9ouLK4Df5egNB9kUK6rIIs4VWm5snkY++6zs45KEmm8HnN9a0lqXtXXNMfTQILrLlWe54v IntCWAj9lslNacRWDXgss6NFlWjSpMd0lYcEnmItrwMufGWcmWb2rEWjDLYGxIO/x1CZPQS4z5k mpnmxhm8fKUrw3H/5kAswqRVPM5M73YeZlE+HettTE1UwDBYIY0NovRICOxDOZeZiAkMShVlCLo lQocUPF88Hbix6ZJTXfP4n8vmzZK2cM+wCMm+8Y+M3dGPNoXcUgzzL4E8yqVdbYDtxU6/AdgRVg vvO5oTPrFJhuIGl/3hcuBcrULTcrGGk3o8ArtAOVyeKKAvDRWyVGBGTc5clQjtbYP/6FOqSDOc1 oS9UJtVB3oYJ9hzyJyg+Em+SufE7Pg== X-Proofpoint-ORIG-GUID: IQkK7prwFZj--9u28e0g59cFH9mZlVb0 X-Proofpoint-GUID: IQkK7prwFZj--9u28e0g59cFH9mZlVb0 X-Authority-Analysis: v=2.4 cv=U4WfzOru c=1 sm=1 tr=0 ts=68d67caa cx=c_pps a=Lg6ja3A245NiLSnFpY5YKQ==:117 a=Lg6ja3A245NiLSnFpY5YKQ==:17 a=yJojWOMRYYMA:10 a=PYnjg3YJAAAA:8 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=-HSFvP46uHVNKya2NyEA:9 a=FdTzh2GWekK77mhwV6Dw:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-26_03,2025-09-26_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 priorityscore=1501 adultscore=0 phishscore=0 impostorscore=0 clxscore=1015 suspectscore=0 bulkscore=0 spamscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2509150000 definitions=main-2509260108 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Sep 2025 11:44:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/119908 From: Soumya Sambu iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. References: https://nvd.nist.gov/vuln/detail/CVE-2024-26306 https://security-tracker.debian.org/tracker/CVE-2024-26306 Upstream patch: https://github.com/esnet/iperf/commit/299b356df6939f71619bf45bf7a7d2222e17d840 Signed-off-by: Soumya Sambu --- .../iperf3/iperf3/CVE-2024-26306.patch | 218 ++++++++++++++++++ .../recipes-benchmark/iperf3/iperf3_3.14.bb | 1 + 2 files changed, 219 insertions(+) create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-26306.patch diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-26306.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-26306.patch new file mode 100644 index 0000000000..83acb918bd --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-26306.patch @@ -0,0 +1,218 @@ +From 299b356df6939f71619bf45bf7a7d2222e17d840 Mon Sep 17 00:00:00 2001 +From: Sarah Larsen +Date: Wed, 20 Mar 2024 17:02:31 -0700 +Subject: [PATCH] Using OAEP padding instead of PKCS1 padding for OpenSSL. Fix + for CVE-2024-26306. + +Special thanks to Hubert Kario at Red Hat for finding the vulnerability. + +CVE: CVE-2024-26306 + +Upstream-Status: Backport [https://github.com/esnet/iperf/commit/299b356df6939f71619bf45bf7a7d2222e17d840] + +Signed-off-by: Soumya Sambu +--- + src/iperf.h | 1 + + src/iperf_api.c | 8 ++++++-- + src/iperf_api.h | 1 + + src/iperf_auth.c | 26 ++++++++++++++++++-------- + src/iperf_auth.h | 4 ++-- + src/iperf_locale.c | 1 + + src/t_auth.c | 5 +++-- + 7 files changed, 32 insertions(+), 14 deletions(-) + +diff --git a/src/iperf.h b/src/iperf.h +index c3ce333..ae3feeb 100644 +--- a/src/iperf.h ++++ b/src/iperf.h +@@ -308,6 +308,7 @@ struct iperf_test + char *server_authorized_users; + EVP_PKEY *server_rsa_private_key; + int server_skew_threshold; ++ int use_pkcs1_padding; + #endif // HAVE_SSL + + /* boolean variables for Options */ +diff --git a/src/iperf_api.c b/src/iperf_api.c +index a95e024..3915884 100644 +--- a/src/iperf_api.c ++++ b/src/iperf_api.c +@@ -1097,6 +1097,7 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv) + {"rsa-private-key-path", required_argument, NULL, OPT_SERVER_RSA_PRIVATE_KEY}, + {"authorized-users-path", required_argument, NULL, OPT_SERVER_AUTHORIZED_USERS}, + {"time-skew-threshold", required_argument, NULL, OPT_SERVER_SKEW_THRESHOLD}, ++ {"use-pkcs1-padding", no_argument, NULL, OPT_USE_PKCS1_PADDING}, + #endif /* HAVE_SSL */ + {"fq-rate", required_argument, NULL, OPT_FQ_RATE}, + {"pacing-timer", required_argument, NULL, OPT_PACING_TIMER}, +@@ -1585,6 +1586,9 @@ iperf_parse_arguments(struct iperf_test *test, int argc, char **argv) + return -1; + } + break; ++ case OPT_USE_PKCS1_PADDING: ++ test->use_pkcs1_padding = 1; ++ break; + #endif /* HAVE_SSL */ + case OPT_PACING_TIMER: + test->settings->pacing_timer = unit_atoi(optarg); +@@ -2026,7 +2030,7 @@ int test_is_authorized(struct iperf_test *test){ + if (test->settings->authtoken){ + char *username = NULL, *password = NULL; + time_t ts; +- int rc = decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts); ++ int rc = decode_auth_setting(test->debug, test->settings->authtoken, test->server_rsa_private_key, &username, &password, &ts, test->use_pkcs1_padding); + if (rc) { + return -1; + } +@@ -2211,7 +2215,7 @@ send_parameters(struct iperf_test *test) + #if defined(HAVE_SSL) + /* Send authentication parameters */ + if (test->settings->client_username && test->settings->client_password && test->settings->client_rsa_pubkey){ +- int rc = encode_auth_setting(test->settings->client_username, test->settings->client_password, test->settings->client_rsa_pubkey, &test->settings->authtoken); ++ int rc = encode_auth_setting(test->settings->client_username, test->settings->client_password, test->settings->client_rsa_pubkey, &test->settings->authtoken, test->use_pkcs1_padding); + + if (rc) { + cJSON_Delete(j); +diff --git a/src/iperf_api.h b/src/iperf_api.h +index 171006a..052bc96 100644 +--- a/src/iperf_api.h ++++ b/src/iperf_api.h +@@ -90,6 +90,7 @@ typedef uint64_t iperf_size_t; + #define OPT_DONT_FRAGMENT 26 + #define OPT_RCV_TIMEOUT 27 + #define OPT_SND_TIMEOUT 28 ++#define OPT_USE_PKCS1_PADDING 30 + + /* states */ + #define TEST_START 1 +diff --git a/src/iperf_auth.c b/src/iperf_auth.c +index 595f730..db48bbf 100644 +--- a/src/iperf_auth.c ++++ b/src/iperf_auth.c +@@ -228,7 +228,7 @@ int test_load_private_key_from_file(const char *file){ + return 0; + } + +-int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned char **encryptedtext) { ++int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned char **encryptedtext, int use_pkcs1_padding) { + RSA *rsa = NULL; + unsigned char *rsa_buffer = NULL, pad = RSA_PKCS1_PADDING; + int keysize, encryptedtext_len, rsa_buffer_len; +@@ -241,7 +241,12 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch + + BIO *bioBuff = BIO_new_mem_buf((void*)plaintext, (int)strlen(plaintext)); + rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); +- encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, pad); ++ ++ int padding = RSA_PKCS1_OAEP_PADDING; ++ if (use_pkcs1_padding){ ++ padding = RSA_PKCS1_PADDING; ++ } ++ encryptedtext_len = RSA_public_encrypt(rsa_buffer_len, rsa_buffer, *encryptedtext, rsa, padding); + + RSA_free(rsa); + OPENSSL_free(rsa_buffer); +@@ -255,7 +260,7 @@ int encrypt_rsa_message(const char *plaintext, EVP_PKEY *public_key, unsigned ch + return encryptedtext_len; + } + +-int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext) { ++int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedtext_len, EVP_PKEY *private_key, unsigned char **plaintext, int use_pkcs1_padding) { + RSA *rsa = NULL; + unsigned char *rsa_buffer = NULL, pad = RSA_PKCS1_PADDING; + int plaintext_len, rsa_buffer_len, keysize; +@@ -268,7 +273,12 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + + BIO *bioBuff = BIO_new_mem_buf((void*)encryptedtext, encryptedtext_len); + rsa_buffer_len = BIO_read(bioBuff, rsa_buffer, keysize * 2); +- plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, pad); ++ ++ int padding = RSA_PKCS1_OAEP_PADDING; ++ if (use_pkcs1_padding){ ++ padding = RSA_PKCS1_PADDING; ++ } ++ plaintext_len = RSA_private_decrypt(rsa_buffer_len, rsa_buffer, *plaintext, rsa, padding); + + RSA_free(rsa); + OPENSSL_free(rsa_buffer); +@@ -282,7 +292,7 @@ int decrypt_rsa_message(const unsigned char *encryptedtext, const int encryptedt + return plaintext_len; + } + +-int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken){ ++int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken, int use_pkcs1_padding){ + time_t t = time(NULL); + time_t utc_seconds = mktime(localtime(&t)); + +@@ -299,7 +309,7 @@ int encode_auth_setting(const char *username, const char *password, EVP_PKEY *pu + + unsigned char *encrypted = NULL; + int encrypted_len; +- encrypted_len = encrypt_rsa_message(text, public_key, &encrypted); ++ encrypted_len = encrypt_rsa_message(text, public_key, &encrypted, use_pkcs1_padding); + free(text); + if (encrypted_len < 0) { + return -1; +@@ -310,7 +320,7 @@ int encode_auth_setting(const char *username, const char *password, EVP_PKEY *pu + return (0); //success + } + +-int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts){ ++int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts, int use_pkcs1_padding){ + unsigned char *encrypted_b64 = NULL; + size_t encrypted_len_b64; + int64_t utc_seconds; +@@ -318,7 +328,7 @@ int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *priva + + unsigned char *plaintext = NULL; + int plaintext_len; +- plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext); ++ plaintext_len = decrypt_rsa_message(encrypted_b64, encrypted_len_b64, private_key, &plaintext, use_pkcs1_padding); + free(encrypted_b64); + if (plaintext_len < 0) { + return -1; +diff --git a/src/iperf_auth.h b/src/iperf_auth.h +index ffadbf3..eedd45a 100644 +--- a/src/iperf_auth.h ++++ b/src/iperf_auth.h +@@ -35,7 +35,7 @@ EVP_PKEY *load_pubkey_from_file(const char *file); + EVP_PKEY *load_pubkey_from_base64(const char *buffer); + EVP_PKEY *load_privkey_from_file(const char *file); + EVP_PKEY *load_privkey_from_base64(const char *buffer); +-int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken); +-int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts); ++int encode_auth_setting(const char *username, const char *password, EVP_PKEY *public_key, char **authtoken, int use_pkcs1_padding); ++int decode_auth_setting(int enable_debug, const char *authtoken, EVP_PKEY *private_key, char **username, char **password, time_t *ts, int use_pkcs1_padding); + int check_authentication(const char *username, const char *password, const time_t ts, const char *filename, int skew_threshold); + ssize_t iperf_getpass (char **lineptr, size_t *n, FILE *stream); +diff --git a/src/iperf_locale.c b/src/iperf_locale.c +index 838086e..466f36a 100644 +--- a/src/iperf_locale.c ++++ b/src/iperf_locale.c +@@ -156,6 +156,7 @@ const char usage_longstr[] = "Usage: iperf3 [-s|-c host] [options]\n" + " credentials\n" + " --time-skew-threshold time skew threshold (in seconds) between the server\n" + " and client during the authentication process\n" ++ " --use-pkcs1-padding use pkcs1 padding at your own risk\n" + #endif //HAVE_SSL + "Client specific:\n" + " -c, --client [%%] run in client mode, connecting to \n" +diff --git a/src/t_auth.c b/src/t_auth.c +index 22c78ae..5104855 100644 +--- a/src/t_auth.c ++++ b/src/t_auth.c +@@ -103,8 +103,9 @@ test_authtoken(const char *authUser, const char *authPassword, EVP_PKEY *pubkey, + char *decodePassword; + time_t decodeTime; + +- assert(encode_auth_setting(authUser, authPassword, pubkey, &authToken) == 0); +- assert(decode_auth_setting(0, authToken, privkey, &decodeUser, &decodePassword, &decodeTime) == 0); ++ int use_pkcs1_padding = 1; ++ assert(encode_auth_setting(authUser, authPassword, pubkey, &authToken, use_pkcs1_padding) == 0); ++ assert(decode_auth_setting(0, authToken, privkey, &decodeUser, &decodePassword, &decodeTime, use_pkcs1_padding) == 0); + + assert(strcmp(decodeUser, authUser) == 0); + assert(strcmp(decodePassword, authPassword) == 0); +-- +2.40.0 + diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb index 8961628792..6de6d6c0b8 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb @@ -17,6 +17,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0002-Remove-pg-from-profile_CFLAGS.patch \ file://0001-configure.ac-check-for-CPP-prog.patch \ file://CVE-2023-7250.patch \ + file://CVE-2024-26306.patch \ " SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d" From patchwork Fri Sep 26 11:44:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: ssambu X-Patchwork-Id: 71085 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 40F59CAC5BC for ; Fri, 26 Sep 2025 11:44:51 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.15375.1758887083660984535 for ; Fri, 26 Sep 2025 04:44:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=rjcyrhcX; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=1364ba7040=soumya.sambu@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 58QAnn8T1346203 for ; Fri, 26 Sep 2025 04:44:43 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=PPS06212021; bh=EIFkQvGuF+CdMPddoQeWZ+77kx67NLqQQRmupAKVJ2c=; b=rjcyrhcXozTF 2yvN63ttBUiL7HI6cbvsBKYU/ykBjjCkVadRHyq9XAMkIFqw/Xt3kUSiWCFYwfvc 9Ityn1Qg5m12h/3/SOtHgkILNkdP/5rVG2LbMvA9PvZfifJotmSudS9m3/JkGdcE yFCVikRJ9ePZjmXxjTaKOrXpL8Tr1foc1uFRJgzjwaWyLBWc5rT1jIuWTZSxYT1R aesPC2GTMGtheheEW51RDhtuEoGV0Rxt3sveynhWDLhhDvQdQfYTj3qjpdCV3WkP WBb60SrUMOBsmmkOQ6DrdWUashcVLw+fb9FWnhbCF3/q33qpxTqpYzke24t7YwC2 EI1KCBytgQ== Received: from ala-exchng01.corp.ad.wrs.com ([128.224.246.36]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49dbse0r7f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 26 Sep 2025 04:44:43 -0700 (PDT) Received: from ala-exchng01.corp.ad.wrs.com (10.11.224.121) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.59; Fri, 26 Sep 2025 04:44:42 -0700 Received: from blr-linux-engg1.wrs.com (10.11.232.110) by ala-exchng01.corp.ad.wrs.com (10.11.224.121) with Microsoft SMTP Server id 15.1.2507.59 via Frontend Transport; Fri, 26 Sep 2025 04:44:41 -0700 From: ssambu To: Subject: [oe][meta-oe][kirkstone][PATCH 3/3] iperf3: Fix CVE-2024-53580 Date: Fri, 26 Sep 2025 17:14:30 +0530 Message-ID: <20250926114430.2425208-3-soumya.sambu@windriver.com> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20250926114430.2425208-1-soumya.sambu@windriver.com> References: <20250926114430.2425208-1-soumya.sambu@windriver.com> MIME-Version: 1.0 X-Proofpoint-GUID: nMku2iuFI-YinM0nn7eGzLMYWEKilPUe X-Authority-Analysis: v=2.4 cv=NanrFmD4 c=1 sm=1 tr=0 ts=68d67cab cx=c_pps a=AbJuCvi4Y3V6hpbCNWx0WA==:117 a=AbJuCvi4Y3V6hpbCNWx0WA==:17 a=yJojWOMRYYMA:10 a=PYnjg3YJAAAA:8 a=xNf9USuDAAAA:8 a=NEAV23lmAAAA:8 a=t7CeM3EgAAAA:8 a=vtXoPY2jAAAA:8 a=EDhlG9hj55tZ7ykOT9UA:9 a=FdTzh2GWekK77mhwV6Dw:22 a=s4FxMMpuSwg4a78zj2vJ:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTI2MDEwOCBTYWx0ZWRfXwuvlTTNci4H7 gvt7GJU7MDn5SU2mRP6jxn+ivG78Zqw62yNCfntqWgRgcKP+1vuTXkIsPwHktznD/u7AYIIo5v1 TTX/ZJhH6bGlI1hPozB5z1oGa6ColIdt37i2jC3aBkKaW9D5CCdFKezUpePvN3IxdEflbvUJeIk DkvsRDomGig5E6aF7kxVfcBqEkzVLycRCaAiQTwfylci6sL7LLhyGmu2OcgKnEd08qVHmiTDavY NIj3OSxw5owqQV6Y0nXy8GlQGlb7gUyutFHhXsljNRzbpuZQ7HVTYpoqFJIkiK5t4/5YaqUAXBG KIWr/1tutcOqEkPJ0dQ0jjL+JgwZWv5AeKcHaoBOqDAyktnuqEzIT+PFtKmTlTRZws7ZLdXGHeo YmMZMyaq7tEr7Esi+Ef6Ae/tWAN7dQ== X-Proofpoint-ORIG-GUID: nMku2iuFI-YinM0nn7eGzLMYWEKilPUe X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-26_03,2025-09-26_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 phishscore=0 bulkscore=0 clxscore=1015 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2509150000 definitions=main-2509260108 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 26 Sep 2025 11:44:51 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/119907 From: Soumya Sambu iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. References: https://nvd.nist.gov/vuln/detail/CVE-2024-53580 https://security-tracker.debian.org/tracker/CVE-2024-53580 Upstream patch: https://github.com/esnet/iperf/commit/3f66f604df7f1038a49108c48612c2f4fe71331f Signed-off-by: Soumya Sambu --- .../iperf3/iperf3/CVE-2024-53580.patch | 276 ++++++++++++++++++ .../recipes-benchmark/iperf3/iperf3_3.14.bb | 1 + 2 files changed, 277 insertions(+) create mode 100644 meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-53580.patch diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-53580.patch b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-53580.patch new file mode 100644 index 0000000000..99ef69aea0 --- /dev/null +++ b/meta-oe/recipes-benchmark/iperf3/iperf3/CVE-2024-53580.patch @@ -0,0 +1,276 @@ +From 3f66f604df7f1038a49108c48612c2f4fe71331f Mon Sep 17 00:00:00 2001 +From: Sarah Larsen +Date: Fri, 15 Nov 2024 23:23:05 +0000 +Subject: [PATCH] Add a variant of cJSON_GetObjectItem that does type-checking. + +This avoids a potential server crash with malformed iperf3 +parameter sets. (CVE-2024-53580) + +Vulnerability report submitted by Leonid Krolle Bi.Zone. + +Original version of fix by @dopheide-esnet. + +CVE: CVE-2024-53580 + +Upstream-Status: Backport [https://github.com/esnet/iperf/commit/3f66f604df7f1038a49108c48612c2f4fe71331f] + +Signed-off-by: Soumya Sambu +--- + src/iperf_api.c | 96 +++++++++++++++++++++++------------------------ + src/iperf_error.c | 2 +- + src/iperf_util.c | 36 ++++++++++++++++++ + src/iperf_util.h | 1 + + 4 files changed, 86 insertions(+), 49 deletions(-) + +diff --git a/src/iperf_api.c b/src/iperf_api.c +index 3915884..786af29 100644 +--- a/src/iperf_api.c ++++ b/src/iperf_api.c +@@ -2264,72 +2264,72 @@ get_parameters(struct iperf_test *test) + cJSON_free(str); + } + +- if ((j_p = cJSON_GetObjectItem(j, "tcp")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "tcp", cJSON_True)) != NULL) + set_protocol(test, Ptcp); +- if ((j_p = cJSON_GetObjectItem(j, "udp")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "udp", cJSON_True)) != NULL) + set_protocol(test, Pudp); +- if ((j_p = cJSON_GetObjectItem(j, "sctp")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "sctp", cJSON_True)) != NULL) + set_protocol(test, Psctp); +- if ((j_p = cJSON_GetObjectItem(j, "omit")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "omit", cJSON_Number)) != NULL) + test->omit = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "server_affinity")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "server_affinity", cJSON_Number)) != NULL) + test->server_affinity = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "time")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "time", cJSON_Number)) != NULL) + test->duration = j_p->valueint; + test->settings->bytes = 0; +- if ((j_p = cJSON_GetObjectItem(j, "num")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "num", cJSON_Number)) != NULL) + test->settings->bytes = j_p->valueint; + test->settings->blocks = 0; +- if ((j_p = cJSON_GetObjectItem(j, "blockcount")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "blockcount", cJSON_Number)) != NULL) + test->settings->blocks = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "MSS")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "MSS", cJSON_Number)) != NULL) + test->settings->mss = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "nodelay")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "nodelay", cJSON_True)) != NULL) + test->no_delay = 1; +- if ((j_p = cJSON_GetObjectItem(j, "parallel")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "parallel", cJSON_Number)) != NULL) + test->num_streams = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "reverse")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "reverse", cJSON_True)) != NULL) + iperf_set_test_reverse(test, 1); +- if ((j_p = cJSON_GetObjectItem(j, "bidirectional")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "bidirectional", cJSON_True)) != NULL) + iperf_set_test_bidirectional(test, 1); +- if ((j_p = cJSON_GetObjectItem(j, "window")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "window", cJSON_Number)) != NULL) + test->settings->socket_bufsize = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "len")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "len", cJSON_Number)) != NULL) + test->settings->blksize = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "bandwidth")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "bandwidth", cJSON_Number)) != NULL) + test->settings->rate = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "fqrate")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "fqrate", cJSON_Number)) != NULL) + test->settings->fqrate = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "pacing_timer")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "pacing_timer", cJSON_Number)) != NULL) + test->settings->pacing_timer = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "burst")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "burst", cJSON_Number)) != NULL) + test->settings->burst = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "TOS")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "TOS", cJSON_Number)) != NULL) + test->settings->tos = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "flowlabel")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "flowlabel", cJSON_Number)) != NULL) + test->settings->flowlabel = j_p->valueint; +- if ((j_p = cJSON_GetObjectItem(j, "title")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "title", cJSON_String)) != NULL) + test->title = strdup(j_p->valuestring); +- if ((j_p = cJSON_GetObjectItem(j, "extra_data")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "extra_data", cJSON_String)) != NULL) + test->extra_data = strdup(j_p->valuestring); +- if ((j_p = cJSON_GetObjectItem(j, "congestion")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "congestion", cJSON_String)) != NULL) + test->congestion = strdup(j_p->valuestring); +- if ((j_p = cJSON_GetObjectItem(j, "congestion_used")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "congestion_used", cJSON_String)) != NULL) + test->congestion_used = strdup(j_p->valuestring); +- if ((j_p = cJSON_GetObjectItem(j, "get_server_output")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "get_server_output", cJSON_Number)) != NULL) + iperf_set_test_get_server_output(test, 1); +- if ((j_p = cJSON_GetObjectItem(j, "udp_counters_64bit")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "udp_counters_64bit", cJSON_Number)) != NULL) + iperf_set_test_udp_counters_64bit(test, 1); +- if ((j_p = cJSON_GetObjectItem(j, "repeating_payload")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "repeating_payload", cJSON_Number)) != NULL) + test->repeating_payload = 1; +- if ((j_p = cJSON_GetObjectItem(j, "zerocopy")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "zerocopy", cJSON_Number)) != NULL) + test->zerocopy = j_p->valueint; + #if defined(HAVE_DONT_FRAGMENT) +- if ((j_p = cJSON_GetObjectItem(j, "dont_fragment")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "dont_fragment", cJSON_Number)) != NULL) + test->settings->dont_fragment = j_p->valueint; + #endif /* HAVE_DONT_FRAGMENT */ + #if defined(HAVE_SSL) +- if ((j_p = cJSON_GetObjectItem(j, "authtoken")) != NULL) ++ if ((j_p = iperf_cJSON_GetObjectItemType(j, "authtoken", cJSON_String)) != NULL) + test->settings->authtoken = strdup(j_p->valuestring); + #endif //HAVE_SSL + if (test->mode && test->protocol->id == Ptcp && has_tcpinfo_retransmits()) +@@ -2488,10 +2488,10 @@ get_results(struct iperf_test *test) + i_errno = IERECVRESULTS; + r = -1; + } else { +- j_cpu_util_total = cJSON_GetObjectItem(j, "cpu_util_total"); +- j_cpu_util_user = cJSON_GetObjectItem(j, "cpu_util_user"); +- j_cpu_util_system = cJSON_GetObjectItem(j, "cpu_util_system"); +- j_sender_has_retransmits = cJSON_GetObjectItem(j, "sender_has_retransmits"); ++ j_cpu_util_total = iperf_cJSON_GetObjectItemType(j, "cpu_util_total", cJSON_Number); ++ j_cpu_util_user = iperf_cJSON_GetObjectItemType(j, "cpu_util_user", cJSON_Number); ++ j_cpu_util_system = iperf_cJSON_GetObjectItemType(j, "cpu_util_system", cJSON_Number); ++ j_sender_has_retransmits = iperf_cJSON_GetObjectItemType(j, "sender_has_retransmits", cJSON_Number); + if (j_cpu_util_total == NULL || j_cpu_util_user == NULL || j_cpu_util_system == NULL || j_sender_has_retransmits == NULL) { + i_errno = IERECVRESULTS; + r = -1; +@@ -2513,7 +2513,7 @@ get_results(struct iperf_test *test) + else if ( test->mode == BIDIRECTIONAL ) + test->other_side_has_retransmits = result_has_retransmits; + +- j_streams = cJSON_GetObjectItem(j, "streams"); ++ j_streams = iperf_cJSON_GetObjectItemType(j, "streams", cJSON_Array); + if (j_streams == NULL) { + i_errno = IERECVRESULTS; + r = -1; +@@ -2525,16 +2525,16 @@ get_results(struct iperf_test *test) + i_errno = IERECVRESULTS; + r = -1; + } else { +- j_id = cJSON_GetObjectItem(j_stream, "id"); +- j_bytes = cJSON_GetObjectItem(j_stream, "bytes"); +- j_retransmits = cJSON_GetObjectItem(j_stream, "retransmits"); +- j_jitter = cJSON_GetObjectItem(j_stream, "jitter"); +- j_errors = cJSON_GetObjectItem(j_stream, "errors"); +- j_omitted_errors = cJSON_GetObjectItem(j_stream, "omitted_errors"); +- j_packets = cJSON_GetObjectItem(j_stream, "packets"); +- j_omitted_packets = cJSON_GetObjectItem(j_stream, "omitted_packets"); +- j_start_time = cJSON_GetObjectItem(j_stream, "start_time"); +- j_end_time = cJSON_GetObjectItem(j_stream, "end_time"); ++ j_id = iperf_cJSON_GetObjectItemType(j_stream, "id", cJSON_Number); ++ j_bytes = iperf_cJSON_GetObjectItemType(j_stream, "bytes", cJSON_Number); ++ j_retransmits = iperf_cJSON_GetObjectItemType(j_stream, "retransmits", cJSON_Number); ++ j_jitter = iperf_cJSON_GetObjectItemType(j_stream, "jitter", cJSON_Number); ++ j_errors = iperf_cJSON_GetObjectItemType(j_stream, "errors", cJSON_Number); ++ j_omitted_errors = iperf_cJSON_GetObjectItemType(j_stream, "omitted_errors", cJSON_Number); ++ j_packets = iperf_cJSON_GetObjectItemType(j_stream, "packets", cJSON_Number); ++ j_omitted_packets = iperf_cJSON_GetObjectItemType(j_stream, "omitted_packets", cJSON_Number); ++ j_start_time = iperf_cJSON_GetObjectItemType(j_stream, "start_time", cJSON_Number); ++ j_end_time = iperf_cJSON_GetObjectItemType(j_stream, "end_time", cJSON_Number); + if (j_id == NULL || j_bytes == NULL || j_retransmits == NULL || j_jitter == NULL || j_errors == NULL || j_packets == NULL) { + i_errno = IERECVRESULTS; + r = -1; +@@ -2623,7 +2623,7 @@ get_results(struct iperf_test *test) + } + else { + /* No JSON, look for textual output. Make a copy of the text for later. */ +- j_server_output = cJSON_GetObjectItem(j, "server_output_text"); ++ j_server_output = iperf_cJSON_GetObjectItemType(j, "server_output_text", cJSON_String); + if (j_server_output != NULL) { + test->server_output_text = strdup(j_server_output->valuestring); + } +@@ -2632,7 +2632,7 @@ get_results(struct iperf_test *test) + } + } + +- j_remote_congestion_used = cJSON_GetObjectItem(j, "congestion_used"); ++ j_remote_congestion_used = iperf_cJSON_GetObjectItemType(j, "congestion_used", cJSON_String); + if (j_remote_congestion_used != NULL) { + test->remote_congestion_used = strdup(j_remote_congestion_used->valuestring); + } +diff --git a/src/iperf_error.c b/src/iperf_error.c +index f7cae63..d8676dc 100644 +--- a/src/iperf_error.c ++++ b/src/iperf_error.c +@@ -60,7 +60,7 @@ iperf_err(struct iperf_test *test, const char *format, ...) + if (test != NULL && test->json_output && test->json_top != NULL) + cJSON_AddStringToObject(test->json_top, "error", str); + else { +- if (test && test->outfile && test->outfile != stdout) { ++ if (test != NULL && test->outfile != NULL && test->outfile != stdout) { + if (ct) { + fprintf(test->outfile, "%s", ct); + } +diff --git a/src/iperf_util.c b/src/iperf_util.c +index d5795ee..9f1ff33 100644 +--- a/src/iperf_util.c ++++ b/src/iperf_util.c +@@ -420,6 +420,42 @@ iperf_json_printf(const char *format, ...) + return o; + } + ++/********************** cJSON GetObjectItem w/ Type Helper ********************/ ++cJSON * iperf_cJSON_GetObjectItemType(cJSON * j, char * item_string, int expected_type){ ++ cJSON *j_p; ++ if((j_p = cJSON_GetObjectItem(j, item_string)) != NULL) ++ switch(expected_type){ ++ case cJSON_True: ++ if(cJSON_IsBool(j_p)) ++ return j_p; ++ else ++ iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string); ++ break; ++ case cJSON_String: ++ if(cJSON_IsString(j_p)) ++ return j_p; ++ else ++ iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string); ++ break; ++ case cJSON_Number: ++ if(cJSON_IsNumber(j_p)) ++ return j_p; ++ else ++ iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string); ++ break; ++ case cJSON_Array: ++ if(cJSON_IsArray(j_p)) ++ return j_p; ++ else ++ iperf_err(NULL, "iperf_cJSON_GetObjectItemType mismatch %s", item_string); ++ break; ++ default: ++ iperf_err(NULL, "unsupported type"); ++ } ++ ++ return NULL; ++} ++ + /* Debugging routine to dump out an fd_set. */ + void + iperf_dump_fdset(FILE *fp, const char *str, int nfds, fd_set *fds) +diff --git a/src/iperf_util.h b/src/iperf_util.h +index b109af2..c39a1f7 100644 +--- a/src/iperf_util.h ++++ b/src/iperf_util.h +@@ -53,6 +53,7 @@ const char* get_system_info(void); + const char* get_optional_features(void); + + cJSON* iperf_json_printf(const char *format, ...); ++cJSON * iperf_cJSON_GetObjectItemType(cJSON * j_p, char * item_string, int expected_type); + + void iperf_dump_fdset(FILE *fp, const char *str, int nfds, fd_set *fds); + +-- +2.40.0 + diff --git a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb index 6de6d6c0b8..a768a14423 100644 --- a/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb +++ b/meta-oe/recipes-benchmark/iperf3/iperf3_3.14.bb @@ -18,6 +18,7 @@ SRC_URI = "git://github.com/esnet/iperf.git;branch=master;protocol=https \ file://0001-configure.ac-check-for-CPP-prog.patch \ file://CVE-2023-7250.patch \ file://CVE-2024-26306.patch \ + file://CVE-2024-53580.patch \ " SRCREV = "a0be85934144bc04712a6695b14ea6e45c379e1d"