From 0bf4b165150db6abb5c7ea00d061f7cca1476832 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 27 Mar 2024 20:34:50 +0000
Subject: [PATCH] import CS tcpdump-4.9.3-5.el8

---
 .gitignore                                    |   1 +
 .tcpdump.metadata                             |   1 +
 ...x-the-way-we-step-through-the-packet.patch | 155 ++++++++++++++++++
 ...e-bp-by-the-option-haeder-length-twi.patch |  48 ++++++
 SOURCES/0019-CVE-2021-41043.patch             |  48 ++++++
 SOURCES/tcpdump-4.9.3.tar.gz.sig              | Bin 442 -> 0 bytes
 SPECS/tcpdump.spec                            |  11 +-
 7 files changed, 263 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0017-pgm-fix-the-way-we-step-through-the-packet.patch
 create mode 100644 SOURCES/0018-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch
 create mode 100644 SOURCES/0019-CVE-2021-41043.patch
 delete mode 100644 SOURCES/tcpdump-4.9.3.tar.gz.sig

diff --git a/.gitignore b/.gitignore
index e45ade0..b87fb0f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 SOURCES/tcpdump-4.9.3.tar.gz
+SOURCES/tcpdump-4.9.3.tar.gz.sig
 SOURCES/tcpslice-1.2a3.tar.gz
diff --git a/.tcpdump.metadata b/.tcpdump.metadata
index 7eaf682..26da798 100644
--- a/.tcpdump.metadata
+++ b/.tcpdump.metadata
@@ -1,2 +1,3 @@
 59b309f3620ac4b709de2eaf7bf3a83bf04bc048 SOURCES/tcpdump-4.9.3.tar.gz
+cfc1a4a7fce082844312906046a4d53a0e87ce26 SOURCES/tcpdump-4.9.3.tar.gz.sig
 98790301cb1bf4399a95153bc62d49b3f5808994 SOURCES/tcpslice-1.2a3.tar.gz
diff --git a/SOURCES/0017-pgm-fix-the-way-we-step-through-the-packet.patch b/SOURCES/0017-pgm-fix-the-way-we-step-through-the-packet.patch
new file mode 100644
index 0000000..3e1c355
--- /dev/null
+++ b/SOURCES/0017-pgm-fix-the-way-we-step-through-the-packet.patch
@@ -0,0 +1,155 @@
+From 1ef47c304f226ca9f8a8d6bff1b43e617eafef19 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Mon, 21 Aug 2023 23:15:14 -0700
+Subject: [PATCH] pgm: fix the way we step through the packet.
+
+Step past the PGM header after we finish processing it and before we
+process the message-type-specific header.
+
+Step past the message-type-specific fixed-length header before we
+process the stuff after that header.
+
+This makes the code a bit clearer (by explicitly advancing bp by the
+size of the stuff we just processed, rather than doing so by trickery
+involving adding 1 to a pointer to a structure), and fixes the
+processing of message types that don't have a message-type-specific
+header (where we weren't stepping past the PGM header).  It also affects
+the way we handle messages of an unknown type.
+
+(cherry picked from commit 9a3eebde95cf1032ac68ae4312e2db14bb1fe58d)
+---
+ print-pgm.c               | 29 +++++++++++++++--------------
+ tests/pgm_opts_asan.out   |  2 +-
+ tests/pgm_opts_asan_2.out |  2 +-
+ tests/pgm_opts_asan_3.out |  2 +-
+ 4 files changed, 18 insertions(+), 17 deletions(-)
+
+diff --git a/print-pgm.c b/print-pgm.c
+index 7672b616..f5ef7702 100644
+--- a/print-pgm.c
++++ b/print-pgm.c
+@@ -218,13 +218,14 @@ pgm_print(netdissect_options *ndo,
+ 		     pgm->pgm_gsid[3],
+                      pgm->pgm_gsid[4],
+                      pgm->pgm_gsid[5]));
++	bp += sizeof(struct pgm_header);
+ 	switch (pgm->pgm_type) {
+ 	case PGM_SPM: {
+ 	    const struct pgm_spm *spm;
+ 
+-	    spm = (const struct pgm_spm *)(pgm + 1);
++	    spm = (const struct pgm_spm *)bp;
+ 	    ND_TCHECK(*spm);
+-	    bp = (const u_char *) (spm + 1);
++	    bp += sizeof(struct pgm_spm);
+ 
+ 	    switch (EXTRACT_16BITS(&spm->pgms_nla_afi)) {
+ 	    case AFNUM_INET:
+@@ -253,21 +254,21 @@ pgm_print(netdissect_options *ndo,
+ 	case PGM_POLL: {
+ 	    const struct pgm_poll *poll_msg;
+ 
+-	    poll_msg = (const struct pgm_poll *)(pgm + 1);
++	    poll_msg = (const struct pgm_poll *)bp;
+ 	    ND_TCHECK(*poll_msg);
+ 	    ND_PRINT((ndo, "POLL seq %u round %u",
+ 			 EXTRACT_32BITS(&poll_msg->pgmp_seq),
+                          EXTRACT_16BITS(&poll_msg->pgmp_round)));
+-	    bp = (const u_char *) (poll_msg + 1);
++	    bp += sizeof(struct pgm_poll);
+ 	    break;
+ 	}
+ 	case PGM_POLR: {
+ 	    const struct pgm_polr *polr;
+ 	    uint32_t ivl, rnd, mask;
+ 
+-	    polr = (const struct pgm_polr *)(pgm + 1);
++	    polr = (const struct pgm_polr *)bp;
+ 	    ND_TCHECK(*polr);
+-	    bp = (const u_char *) (polr + 1);
++	    bp += sizeof(struct pgm_polr);
+ 
+ 	    switch (EXTRACT_16BITS(&polr->pgmp_nla_afi)) {
+ 	    case AFNUM_INET:
+@@ -305,24 +306,24 @@ pgm_print(netdissect_options *ndo,
+ 	case PGM_ODATA: {
+ 	    const struct pgm_data *odata;
+ 
+-	    odata = (const struct pgm_data *)(pgm + 1);
++	    odata = (const struct pgm_data *)bp;
+ 	    ND_TCHECK(*odata);
+ 	    ND_PRINT((ndo, "ODATA trail %u seq %u",
+ 			 EXTRACT_32BITS(&odata->pgmd_trailseq),
+ 			 EXTRACT_32BITS(&odata->pgmd_seq)));
+-	    bp = (const u_char *) (odata + 1);
++	    bp += sizeof(struct pgm_data);
+ 	    break;
+ 	}
+ 
+ 	case PGM_RDATA: {
+ 	    const struct pgm_data *rdata;
+ 
+-	    rdata = (const struct pgm_data *)(pgm + 1);
++	    rdata = (const struct pgm_data *)bp;
+ 	    ND_TCHECK(*rdata);
+ 	    ND_PRINT((ndo, "RDATA trail %u seq %u",
+ 			 EXTRACT_32BITS(&rdata->pgmd_trailseq),
+ 			 EXTRACT_32BITS(&rdata->pgmd_seq)));
+-	    bp = (const u_char *) (rdata + 1);
++	    bp += sizeof(struct pgm_data);
+ 	    break;
+ 	}
+ 
+@@ -332,9 +333,9 @@ pgm_print(netdissect_options *ndo,
+ 	    const struct pgm_nak *nak;
+ 	    char source_buf[INET6_ADDRSTRLEN], group_buf[INET6_ADDRSTRLEN];
+ 
+-	    nak = (const struct pgm_nak *)(pgm + 1);
++	    nak = (const struct pgm_nak *)bp;
+ 	    ND_TCHECK(*nak);
+-	    bp = (const u_char *) (nak + 1);
++	    bp += sizeof(struct pgm_nak);
+ 
+ 	    /*
+ 	     * Skip past the source, saving info along the way
+@@ -402,11 +403,11 @@ pgm_print(netdissect_options *ndo,
+ 	case PGM_ACK: {
+ 	    const struct pgm_ack *ack;
+ 
+-	    ack = (const struct pgm_ack *)(pgm + 1);
++	    ack = (const struct pgm_ack *)bp;
+ 	    ND_TCHECK(*ack);
+ 	    ND_PRINT((ndo, "ACK seq %u",
+ 			 EXTRACT_32BITS(&ack->pgma_rx_max_seq)));
+-	    bp = (const u_char *) (ack + 1);
++	    bp += sizeof(struct pgm_ack);
+ 	    break;
+ 	}
+ 
+diff --git a/tests/pgm_opts_asan.out b/tests/pgm_opts_asan.out
+index cc0607a4..b75868ac 100644
+--- a/tests/pgm_opts_asan.out
++++ b/tests/pgm_opts_asan.out
+@@ -1,2 +1,2 @@
+ IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->9eb9)!)
+-    128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13]  OPT_06 [26]  PATH_NLA [4] [|OPT]
++    128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f[Bad OPT_LENGTH option, length 0 != 4]
+diff --git a/tests/pgm_opts_asan_2.out b/tests/pgm_opts_asan_2.out
+index 7e948d41..21cd69a7 100644
+--- a/tests/pgm_opts_asan_2.out
++++ b/tests/pgm_opts_asan_2.out
+@@ -1,2 +1,2 @@
+ IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->96b9)!)
+-    128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13]  OPT_06 [26] [Bad OPT_PGMCC_DATA option, length 4 < 12]
++    128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f[Bad OPT_LENGTH option, length 0 != 4]
+diff --git a/tests/pgm_opts_asan_3.out b/tests/pgm_opts_asan_3.out
+index 8a6bffd3..f3da1d38 100644
+--- a/tests/pgm_opts_asan_3.out
++++ b/tests/pgm_opts_asan_3.out
+@@ -1,2 +1,2 @@
+ IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->f814)!)
+-    128.121.89.16 > 0.89.16.63: 128.121.89.16.4 > 0.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13]  OPT_06 [26] [Bad OPT_REDIRECT option, length 4 < 8]
++    128.121.89.16 > 0.89.16.63: 128.121.89.16.4 > 0.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f[Bad OPT_LENGTH option, length 0 != 4]
+-- 
+2.41.0
+
diff --git a/SOURCES/0018-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch b/SOURCES/0018-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch
new file mode 100644
index 0000000..8d62522
--- /dev/null
+++ b/SOURCES/0018-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch
@@ -0,0 +1,48 @@
+From 5109a65f791280b3549377851e4bdd77f802c207 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@sonic.net>
+Date: Tue, 22 Aug 2023 12:23:20 -0700
+Subject: [PATCH] pgm: don't advance bp by the option haeder length twice.
+
+At those points, we've already advanced it by the option header length,
+and opt_len includes that length, so advance bp by opt_len minus the
+option header length.
+
+(cherry picked from commit 09b0447fad52298440e05e7368f9d24492d0b0fe)
+---
+ print-pgm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/print-pgm.c b/print-pgm.c
+index 8340f2c3..7672b616 100644
+--- a/print-pgm.c
++++ b/print-pgm.c
+@@ -668,7 +668,7 @@ pgm_print(netdissect_options *ndo,
+ 
+ 		case PGM_OPT_PATH_NLA:
+ 		    ND_PRINT((ndo, " PATH_NLA [%d]", opt_len));
+-		    bp += opt_len;
++		    bp += opt_len - 2;
+ 		    opts_len -= opt_len;
+ 		    break;
+ 
+@@ -710,7 +710,7 @@ pgm_print(netdissect_options *ndo,
+ 
+ 		case PGM_OPT_CR:
+ 		    ND_PRINT((ndo, " CR"));
+-		    bp += opt_len;
++		    bp += opt_len - 2;
+ 		    opts_len -= opt_len;
+ 		    break;
+ 
+@@ -814,7 +814,7 @@ pgm_print(netdissect_options *ndo,
+ 
+ 		default:
+ 		    ND_PRINT((ndo, " OPT_%02X [%d] ", opt_type, opt_len));
+-		    bp += opt_len;
++		    bp += opt_len - 2;
+ 		    opts_len -= opt_len;
+ 		    break;
+ 		}
+-- 
+2.41.0
+
diff --git a/SOURCES/0019-CVE-2021-41043.patch b/SOURCES/0019-CVE-2021-41043.patch
new file mode 100644
index 0000000..27d5d46
--- /dev/null
+++ b/SOURCES/0019-CVE-2021-41043.patch
@@ -0,0 +1,48 @@
+From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Thu, 30 Dec 2021 17:52:52 +0000
+Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice().
+
+This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
+see GitHub issue #11.
+
+In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
+which DLT to use for the output file.  This used to be the pcap_t of the
+first input file, as main() requires at least one input file.  However,
+the loop before pcap_dump_open() closes all, including the first, input
+files that don't meet a test condition.  This way, when the first file
+didn't meet the condition, the call to pcap_dump_open() would end up as
+a use-after-free.  Make the pcap_dump_open() call before the loop, when
+the first array element is always valid, and fix this problem.
+---
+diff --git a/tcpslice-1.2a3/tcpslice.c b/tcpslice-1.2a3/tcpslice.c
+index 6d08473..7c0f4a0 100644
+--- a/tcpslice-1.2a3/tcpslice.c
++++ b/tcpslice-1.2a3/tcpslice.c
+@@ -841,6 +841,13 @@ extract_slice(struct state *states, const int numfiles, const char *write_file_n
+ 	TV_SUB(start_time, base_time, &relative_start);
+ 	TV_SUB(stop_time, base_time, &relative_stop);
+ 
++	/* Always write the output file, use the first input file's DLT. */
++	dumper = pcap_dump_open(states[0].p, write_file_name);
++	if (!dumper) {
++		error("error creating output file '%s': %s",
++		      write_file_name, pcap_geterr(states[0].p));
++	}
++
+ 	for (i = 0; i < numfiles; ++i) {
+ 		s = &states[i];
+ 
+@@ -879,12 +886,6 @@ extract_slice(struct state *states, const int numfiles, const char *write_file_n
+ 		get_next_packet(s);
+ 	}
+ 
+-	dumper = pcap_dump_open(states->p, write_file_name);
+-	if (! dumper) {
+-		error( "error creating output file %s: ",
+-			write_file_name, pcap_geterr( states->p ) );
+-	}
+-
+ 
+ 	/*
+ 	 * Now, loop thru all the packets in all the files,
diff --git a/SOURCES/tcpdump-4.9.3.tar.gz.sig b/SOURCES/tcpdump-4.9.3.tar.gz.sig
deleted file mode 100644
index ef927bf9541086cdcb1c31b5ce33e9d38b355ea9..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 442
zcmV;r0Y(0a0k;GI0SEvc79j*57HU^QtGVDLnvF2viQe(q!Cegn0$q|DkN^q^5a5a4
z@!7#$4Q#~>A4IO*)nFcHUfv5*8k5$`S*%%g<oD9&)pz7?w?dCM+XB;n<UwM3xN2g{
z`cL$Z<d?fv;vbxuw^YNgC7T<BSEaEf=Dueg`w0ZjB=X+mKpq460glC@adsxF)LM}e
zeUVu|)5Y_p|I@sN;h9aQ9}EW`)t4sM-2Dj%McG{WyrOoPH~qW=ys}ZtZAoPL?B$E-
z+H#X*mmvBqYHesjMvr<3ag1DsNTVJ)CnhA+l?b_>cm@B$eL<ZgfQ#z_sQE;w6h1^=
zl$@R(vpJEa+85IhLE!gG(@2T)6WYStt<5wA_X7dY%N)qc4Z*86?s2|$5JVb4VxgxO
zrO~O{rxy>!06>_ak%79e+c?^$S;^bu-=V06PyKFg`}WZI_>RXBO&AD%3*)$=bRnO}
zJD}e4bV1mM_sSFRbY6*UX+T#Dc)c_@=#X@LMqaRT;q0@kIZuAK+nmvS`hJ~*OWETM
krD>GSGQJq+S0^^kT3vUF;1k_r^*i6ag|Muj`ed%cdD<l5{{R30

diff --git a/SPECS/tcpdump.spec b/SPECS/tcpdump.spec
index f9461b7..5e5a30a 100644
--- a/SPECS/tcpdump.spec
+++ b/SPECS/tcpdump.spec
@@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
 Name: tcpdump
 Epoch: 14
 Version: 4.9.3
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: BSD with advertising
 URL: http://www.tcpdump.org
 Group: Applications/Internet
@@ -26,6 +26,9 @@ Patch0013:      0013-tcpslice-stdlib.patch
 Patch0014:      0014-enhance-mptcp.patch
 Patch0015:      0015-CVE-2020-8037.patch
 Patch0016:      0016-direction-for-any.patch
+Patch0017:      0017-pgm-fix-the-way-we-step-through-the-packet.patch
+Patch0018:      0018-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch
+Patch0019:      0019-CVE-2021-41043.patch
 
 %define tcpslice_dir tcpslice-1.2a3
 
@@ -91,6 +94,12 @@ exit 0
 %{_mandir}/man8/tcpdump.8*
 
 %changelog
+* Fri Jan 05 2024 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-5
+- Resolves: RHEL-7858 - tcpslice: use-after-free in extract_slice()
+
+* Wed Nov 01 2023 Pavol Žáčik <pzacik@redhat.com> - 14:4.9.3-4
+- Resolves: RHEL-10708 - Fix PGM option printing
+
 * Mon Jan 10 2022 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-3
 - Resolves: #2005451 - tcpdump support for direction and interface needed in RHEL8