diff --git a/SOURCES/0010-pgm-fix-the-way-we-step-through-the-packet.patch b/SOURCES/0010-pgm-fix-the-way-we-step-through-the-packet.patch new file mode 100644 index 0000000..58584b0 --- /dev/null +++ b/SOURCES/0010-pgm-fix-the-way-we-step-through-the-packet.patch @@ -0,0 +1,154 @@ +From 9ce43fa1e06b1ac2ddf1630a0e90337136ea27c5 Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Mon, 21 Aug 2023 23:15:14 -0700 +Subject: [PATCH] pgm: fix the way we step through the packet. + +Step past the PGM header after we finish processing it and before we +process the message-type-specific header. + +Step past the message-type-specific fixed-length header before we +process the stuff after that header. + +This makes the code a bit clearer (by explicitly advancing bp by the +size of the stuff we just processed, rather than doing so by trickery +involving adding 1 to a pointer to a structure), and fixes the +processing of message types that don't have a message-type-specific +header (where we weren't stepping past the PGM header). It also affects +the way we handle messages of an unknown type. + +(cherry picked from commit 9a3eebde95cf1032ac68ae4312e2db14bb1fe58d) +--- + print-pgm.c | 29 +++++++++++++++-------------- + tests/pgm_opts_asan.out | 2 +- + tests/pgm_opts_asan_2.out | 2 +- + tests/pgm_opts_asan_3.out | 2 +- + 4 files changed, 18 insertions(+), 17 deletions(-) + +diff --git a/print-pgm.c b/print-pgm.c +index ccb0b46a..8a7e215b 100644 +--- a/print-pgm.c ++++ b/print-pgm.c +@@ -220,13 +220,14 @@ pgm_print(netdissect_options *ndo, + pgm->pgm_gsid[3], + pgm->pgm_gsid[4], + pgm->pgm_gsid[5]); ++ bp += sizeof(struct pgm_header); + switch (pgm_type_val) { + case PGM_SPM: { + const struct pgm_spm *spm; + +- spm = (const struct pgm_spm *)(pgm + 1); ++ spm = (const struct pgm_spm *)bp; + ND_TCHECK_SIZE(spm); +- bp = (const u_char *) (spm + 1); ++ bp += sizeof(struct pgm_spm); + + switch (GET_BE_U_2(spm->pgms_nla_afi)) { + case AFNUM_INET: +@@ -256,9 +257,9 @@ pgm_print(netdissect_options *ndo, + const struct pgm_poll *pgm_poll; + uint32_t ivl, rnd, mask; + +- pgm_poll = (const struct pgm_poll *)(pgm + 1); ++ pgm_poll = (const struct pgm_poll *)bp; + ND_TCHECK_SIZE(pgm_poll); +- bp = (const u_char *) (pgm_poll + 1); ++ bp += sizeof(struct pgm_poll); + + switch (GET_BE_U_2(pgm_poll->pgmp_nla_afi)) { + case AFNUM_INET: +@@ -294,35 +295,35 @@ pgm_print(netdissect_options *ndo, + case PGM_POLR: { + const struct pgm_polr *polr_msg; + +- polr_msg = (const struct pgm_polr *)(pgm + 1); ++ polr_msg = (const struct pgm_polr *)bp; + ND_TCHECK_SIZE(polr_msg); + ND_PRINT("POLR seq %u round %u", + GET_BE_U_4(polr_msg->pgmp_seq), + GET_BE_U_2(polr_msg->pgmp_round)); +- bp = (const u_char *) (polr_msg + 1); ++ bp += sizeof(struct pgm_polr); + break; + } + case PGM_ODATA: { + const struct pgm_data *odata; + +- odata = (const struct pgm_data *)(pgm + 1); ++ odata = (const struct pgm_data *)bp; + ND_TCHECK_SIZE(odata); + ND_PRINT("ODATA trail %u seq %u", + GET_BE_U_4(odata->pgmd_trailseq), + GET_BE_U_4(odata->pgmd_seq)); +- bp = (const u_char *) (odata + 1); ++ bp += sizeof(struct pgm_data); + break; + } + + case PGM_RDATA: { + const struct pgm_data *rdata; + +- rdata = (const struct pgm_data *)(pgm + 1); ++ rdata = (const struct pgm_data *)bp; + ND_TCHECK_SIZE(rdata); + ND_PRINT("RDATA trail %u seq %u", + GET_BE_U_4(rdata->pgmd_trailseq), + GET_BE_U_4(rdata->pgmd_seq)); +- bp = (const u_char *) (rdata + 1); ++ bp += sizeof(struct pgm_data); + break; + } + +@@ -332,9 +333,9 @@ pgm_print(netdissect_options *ndo, + const struct pgm_nak *nak; + char source_buf[INET6_ADDRSTRLEN], group_buf[INET6_ADDRSTRLEN]; + +- nak = (const struct pgm_nak *)(pgm + 1); ++ nak = (const struct pgm_nak *)bp; + ND_TCHECK_SIZE(nak); +- bp = (const u_char *) (nak + 1); ++ bp += sizeof(struct pgm_nak); + + /* + * Skip past the source, saving info along the way +@@ -401,11 +402,11 @@ pgm_print(netdissect_options *ndo, + case PGM_ACK: { + const struct pgm_ack *ack; + +- ack = (const struct pgm_ack *)(pgm + 1); ++ ack = (const struct pgm_ack *)bp; + ND_TCHECK_SIZE(ack); + ND_PRINT("ACK seq %u", + GET_BE_U_4(ack->pgma_rx_max_seq)); +- bp = (const u_char *) (ack + 1); ++ bp += sizeof(struct pgm_ack); + break; + } + +diff --git a/tests/pgm_opts_asan.out b/tests/pgm_opts_asan.out +index 6cc9b065..7527bda3 100644 +--- a/tests/pgm_opts_asan.out ++++ b/tests/pgm_opts_asan.out +@@ -1,2 +1,2 @@ + 1 00:04:16.587271427 IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->9eb9)!) +- 128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13] OPT_06 [26] PATH_NLA [4] [|pgm] ++ 128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f[Bad OPT_LENGTH option, length 0 != 4] +diff --git a/tests/pgm_opts_asan_2.out b/tests/pgm_opts_asan_2.out +index 1785a571..53830c85 100644 +--- a/tests/pgm_opts_asan_2.out ++++ b/tests/pgm_opts_asan_2.out +@@ -1,2 +1,2 @@ + 1 00:04:16.587271427 IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->96b9)!) +- 128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13] OPT_06 [26] [Bad OPT_PGMCC_DATA option, length 4 < 12] ++ 128.121.89.107 > 89.89.16.63: 128.121.89.107.4 > 89.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f[Bad OPT_LENGTH option, length 0 != 4] +diff --git a/tests/pgm_opts_asan_3.out b/tests/pgm_opts_asan_3.out +index 2e35f2fa..b8864e29 100644 +--- a/tests/pgm_opts_asan_3.out ++++ b/tests/pgm_opts_asan_3.out +@@ -1,2 +1,2 @@ + 1 00:04:16.587271427 IP (tos 0x41,ECT(1), id 0, offset 0, flags [none], proto PGM (113), length 32639, options (unknown 89 [bad length 232]), bad cksum 5959 (->f814)!) +- 128.121.89.16 > 0.89.16.63: 128.121.89.16.4 > 0.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f OPTS LEN 225 OPT_1F [13] OPT_06 [26] [Bad OPT_REDIRECT option, length 4 < 8] ++ 128.121.89.16 > 0.89.16.63: 128.121.89.16.4 > 0.89.16.63.225: PGM, length 0 0x3414eb1f0022 UNKNOWN type 0x1f[Bad OPT_LENGTH option, length 0 != 4] +-- +2.41.0 + diff --git a/SOURCES/0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch b/SOURCES/0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch new file mode 100644 index 0000000..a0e379b --- /dev/null +++ b/SOURCES/0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch @@ -0,0 +1,48 @@ +From 627a1b7fdceaad8745c438bb0037e59689a1f0df Mon Sep 17 00:00:00 2001 +From: Guy Harris +Date: Tue, 22 Aug 2023 12:23:20 -0700 +Subject: [PATCH] pgm: don't advance bp by the option haeder length twice. + +At those points, we've already advanced it by the option header length, +and opt_len includes that length, so advance bp by opt_len minus the +option header length. + +(cherry picked from commit 09b0447fad52298440e05e7368f9d24492d0b0fe) +--- + print-pgm.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/print-pgm.c b/print-pgm.c +index 8a7e215b..1e67db77 100644 +--- a/print-pgm.c ++++ b/print-pgm.c +@@ -661,7 +661,7 @@ pgm_print(netdissect_options *ndo, + + case PGM_OPT_PATH_NLA: + ND_PRINT(" PATH_NLA [%u]", opt_len); +- bp += opt_len; ++ bp += opt_len - 2; + opts_len -= opt_len; + break; + +@@ -703,7 +703,7 @@ pgm_print(netdissect_options *ndo, + + case PGM_OPT_CR: + ND_PRINT(" CR"); +- bp += opt_len; ++ bp += opt_len - 2; + opts_len -= opt_len; + break; + +@@ -807,7 +807,7 @@ pgm_print(netdissect_options *ndo, + + default: + ND_PRINT(" OPT_%02X [%u] ", opt_type, opt_len); +- bp += opt_len; ++ bp += opt_len - 2; + opts_len -= opt_len; + break; + } +-- +2.41.0 + diff --git a/SOURCES/0012-CVE-2021-41043.patch b/SOURCES/0012-CVE-2021-41043.patch new file mode 100644 index 0000000..b2c3956 --- /dev/null +++ b/SOURCES/0012-CVE-2021-41043.patch @@ -0,0 +1,48 @@ +From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001 +From: Denis Ovsienko +Date: Thu, 30 Dec 2021 17:52:52 +0000 +Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice(). + +This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110), +see GitHub issue #11. + +In extract_slice() pcap_dump_open() takes a pcap_t argument to tell +which DLT to use for the output file. This used to be the pcap_t of the +first input file, as main() requires at least one input file. However, +the loop before pcap_dump_open() closes all, including the first, input +files that don't meet a test condition. This way, when the first file +didn't meet the condition, the call to pcap_dump_open() would end up as +a use-after-free. Make the pcap_dump_open() call before the loop, when +the first array element is always valid, and fix this problem. +--- +diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c +index e7b9ba8..507dd1b 100644 +--- a/tcpslice-1.3/tcpslice.c ++++ b/tcpslice-1.3/tcpslice.c +@@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name, + TV_SUB(start_time, base_time, &relative_start); + TV_SUB(stop_time, base_time, &relative_stop); + ++ /* Always write the output file, use the first input file's DLT. */ ++ global_dumper = pcap_dump_open(states[0].p, write_file_name); ++ if (!global_dumper) { ++ error("error creating output file '%s': %s", ++ write_file_name, pcap_geterr(states[0].p)); ++ } ++ + for (i = 0; i < numfiles; ++i) { + s = &states[i]; + +@@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name, + get_next_packet(s); + } + +- global_dumper = pcap_dump_open(states->p, write_file_name); +- if (!global_dumper) { +- error( "error creating output file %s: %s", +- write_file_name, pcap_geterr( states->p ) ); +- } +- + + /* + * Now, loop thru all the packets in all the files, diff --git a/SPECS/tcpdump.spec b/SPECS/tcpdump.spec index d5d836d..ab4fc0c 100644 --- a/SPECS/tcpdump.spec +++ b/SPECS/tcpdump.spec @@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool Name: tcpdump Epoch: 14 Version: 4.99.0 -Release: 7%{?dist} +Release: 9%{?dist} License: BSD with advertising URL: http://www.tcpdump.org Requires(pre): shadow-utils @@ -17,6 +17,9 @@ Patch0002: 0002-Use-getnameinfo-instead-of-gethostbyaddr.patch Patch0003: 0003-Drop-root-priviledges-before-opening-first-savefile-.patch Patch0007: 0007-Introduce-nn-option.patch Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch +Patch0010: 0010-pgm-fix-the-way-we-step-through-the-packet.patch +Patch0011: 0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch +Patch0012: 0012-CVE-2021-41043.patch %define tcpslice_dir tcpslice-1.3 @@ -81,6 +84,12 @@ exit 0 %{_mandir}/man8/tcpdump.8* %changelog +* Tue Jan 16 2024 Michal Ruprich - 14:4.99.0-9 +- Resolves: RHEL-21558 - tcpslice: use-after-free in extract_slice() + +* Wed Nov 01 2023 Pavol Žáčik - 14:4.99.0-8 +- Resolves: RHEL-10714 - Fix PGM option printing + * Wed May 24 2023 Michal Ruprich - 14:4.99.0-7 - Resolves: #2188429 - enable GUESS_TSO for large packets