- tcpslice: use-after-free in extract_slice()
This commit is contained in:
parent
d31a35f316
commit
1b2c7b7502
|
|
@ -0,0 +1,48 @@
|
|||
From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001
|
||||
From: Denis Ovsienko <denis@ovsienko.info>
|
||||
Date: Thu, 30 Dec 2021 17:52:52 +0000
|
||||
Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice().
|
||||
|
||||
This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
|
||||
see GitHub issue #11.
|
||||
|
||||
In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
|
||||
which DLT to use for the output file. This used to be the pcap_t of the
|
||||
first input file, as main() requires at least one input file. However,
|
||||
the loop before pcap_dump_open() closes all, including the first, input
|
||||
files that don't meet a test condition. This way, when the first file
|
||||
didn't meet the condition, the call to pcap_dump_open() would end up as
|
||||
a use-after-free. Make the pcap_dump_open() call before the loop, when
|
||||
the first array element is always valid, and fix this problem.
|
||||
---
|
||||
diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c
|
||||
index e7b9ba8..507dd1b 100644
|
||||
--- a/tcpslice-1.3/tcpslice.c
|
||||
+++ b/tcpslice-1.3/tcpslice.c
|
||||
@@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
|
||||
TV_SUB(start_time, base_time, &relative_start);
|
||||
TV_SUB(stop_time, base_time, &relative_stop);
|
||||
|
||||
+ /* Always write the output file, use the first input file's DLT. */
|
||||
+ global_dumper = pcap_dump_open(states[0].p, write_file_name);
|
||||
+ if (!global_dumper) {
|
||||
+ error("error creating output file '%s': %s",
|
||||
+ write_file_name, pcap_geterr(states[0].p));
|
||||
+ }
|
||||
+
|
||||
for (i = 0; i < numfiles; ++i) {
|
||||
s = &states[i];
|
||||
|
||||
@@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
|
||||
get_next_packet(s);
|
||||
}
|
||||
|
||||
- global_dumper = pcap_dump_open(states->p, write_file_name);
|
||||
- if (!global_dumper) {
|
||||
- error( "error creating output file %s: %s",
|
||||
- write_file_name, pcap_geterr( states->p ) );
|
||||
- }
|
||||
-
|
||||
|
||||
/*
|
||||
* Now, loop thru all the packets in all the files,
|
||||
|
|
@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
|
|||
Name: tcpdump
|
||||
Epoch: 14
|
||||
Version: 4.9.3
|
||||
Release: 3%{?dist}
|
||||
Release: 3%{?dist}.1.alma.1
|
||||
License: BSD with advertising
|
||||
URL: http://www.tcpdump.org
|
||||
Group: Applications/Internet
|
||||
|
|
@ -27,6 +27,10 @@ Patch0014: 0014-enhance-mptcp.patch
|
|||
Patch0015: 0015-CVE-2020-8037.patch
|
||||
Patch0016: 0016-direction-for-any.patch
|
||||
|
||||
# Patches were taken from:
|
||||
# https://gitlab.com/redhat/centos-stream/rpms/tcpdump/-/commit/aefd74dff4685a47468cd619ee6c88d282ce298a
|
||||
Patch0017: 0017-CVE-2021-41043.patch
|
||||
|
||||
%define tcpslice_dir tcpslice-1.2a3
|
||||
|
||||
%description
|
||||
|
|
@ -91,6 +95,9 @@ exit 0
|
|||
%{_mandir}/man8/tcpdump.8*
|
||||
|
||||
%changelog
|
||||
* Mon Feb 12 2024 Eduard Abdullin <eabdullin@almalinux.org> - 14:4.9.3-3.1.alma.1
|
||||
- tcpslice: use-after-free in extract_slice()
|
||||
|
||||
* Mon Jan 10 2022 Michal Ruprich <mruprich@redhat.com> - 14:4.9.3-3
|
||||
- Resolves: #2005451 - tcpdump support for direction and interface needed in RHEL8
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue