Browse Source

Fix three more issues. Closes: #922624 [CVE-2019-8376], Closes: #922623 [CVE-2019-8377], Closes: #922622 [CVE-2019-8381]

Christoph Biedl 5 years ago
parent
commit
332fb1e310

+ 32 - 0
debian/patches/cherry-pick.v4.3.1-12-gdae97cba.bugs-538-add-check-for-packet-length-in-do-checksum.patch

@@ -0,0 +1,32 @@
+Subject: Bugs #538 add check for packet length in do_checksum()
+ID: CVE-2019-8381
+Origin: v4.3.1-12-gdae97cba <https://github.com/appneta/tcpreplay/commit/v4.3.1-12-gdae97cba>
+Upstream-Author: Fred Klassen <fklassen@appneta.com>
+Date: Tue Mar 12 13:29:10 2019 -0700
+Bug-Debian: https://bugs.debian.org/922622
+
+--- a/src/tcpedit/checksum.c
++++ b/src/tcpedit/checksum.c
+@@ -41,6 +41,7 @@
+     udp_hdr_t *udp;
+     icmpv4_hdr_t *icmp;
+     icmpv6_hdr_t *icmp6;
++    u_char *layer;
+     int ip_hl;
+     int sum;
+ 
+@@ -62,7 +63,13 @@
+         proto = get_ipv6_l4proto(ipv6, len);
+         dbgx(3, "layer4 proto is 0x%hx", (uint16_t)proto);
+ 
+-        ip_hl = (u_char*)get_layer4_v6(ipv6, len) - (u_char*)data;
++        layer = (u_char*)get_layer4_v6(ipv6, len);
++        if (!layer) {
++            tcpedit_setwarn(tcpedit, "%s", "Packet to short for checksum");
++            return TCPEDIT_WARN;
++        }
++
++        ip_hl = layer - (u_char*)data;
+         dbgx(3, "ip_hl proto is 0x%d", ip_hl);
+ 
+         len -= (ip_hl - TCPR_IPV6_H);

+ 23 - 0
debian/patches/cherry-pick.v4.3.1-2-gecee2ace.fix-null-pointer-dereference-get-ipv6-l4proto.patch

@@ -0,0 +1,23 @@
+Subject: Fix NULL pointer dereference get_ipv6_l4proto()
+ID: CVE-2019-8376
+Origin: v4.3.1-2-gecee2ace <https://github.com/appneta/tcpreplay/commit/v4.3.1-2-gecee2ace>
+Upstream-Author: Gabriel Ganne <gabriel.ganne@mindmaze.ch>
+Date: Wed Mar 6 14:31:08 2019 +0100
+Bug-Debian: https://bugs.debian.org/922624
+
+    get_ipv6_next() returns NULL on malformed packets. If that happens
+    return the last proto that could be read.
+
+    This should fix issue #537
+
+--- a/src/common/get.c
++++ b/src/common/get.c
+@@ -536,6 +536,8 @@
+             case TCPR_IPV6_NH_HBH:
+                 dbgx(3, "Jumping to next extension header (0x%hhx)", proto);
+                 exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, len);
++                if (exthdr == NULL)
++                    return proto;
+                 proto = exthdr->ip_nh;
+                 ptr = (u_char *)exthdr;
+                 break;

+ 23 - 0
debian/patches/cherry-pick.v4.3.1-3-g5d6f191d.fix-null-pointer-dereference-in-get-layer4-v6.patch

@@ -0,0 +1,23 @@
+Subject: Fix NULL pointer dereference in get_layer4_v6()
+ID: CVE-2019-8377
+Origin: v4.3.1-3-g5d6f191d <https://github.com/appneta/tcpreplay/commit/v4.3.1-3-g5d6f191d>
+Upstream-Author: Gabriel Ganne <gabriel.ganne@mindmaze.ch>
+Date: Wed Mar 6 14:15:56 2019 +0100
+Bug-Debian: https://bugs.debian.org/922623
+
+    get_ipv6_next() returns NULL on malformed packets. If that happens
+    return the last header that could be read.
+
+    This should fix issue #536
+
+--- a/src/common/get.c
++++ b/src/common/get.c
+@@ -407,6 +407,8 @@
+             dbgx(3, "Going deeper due to extension header 0x%02X", proto);
+             maxlen = len - (int)((u_char *)ip6_hdr - (u_char *)next);
+             exthdr = get_ipv6_next(next, maxlen);
++            if (exthdr == NULL)
++                return next;
+             proto = exthdr->ip_nh;
+             next = exthdr;
+             break;

+ 5 - 0
debian/patches/series

@@ -1,2 +1,7 @@
+# cherry-picked commits. Keep in upstream's chronological order.
+cherry-pick.v4.3.1-2-gecee2ace.fix-null-pointer-dereference-get-ipv6-l4proto.patch
+cherry-pick.v4.3.1-3-g5d6f191d.fix-null-pointer-dereference-in-get-layer4-v6.patch
+cherry-pick.v4.3.1-12-gdae97cba.bugs-538-add-check-for-packet-length-in-do-checksum.patch
+
 disable-tcpreplay-test.patch
 catch-caplen-exceed.patch