Resolves: RHEL-21558 - tcpslice: use-after-free in extract_slice()

2024-01-18 10:56:55 +01:00 · 2024-01-18 10:56:55 +01:00 · 8b361cb166
parent 1e9438a463
commit 8b361cb166
3 changed files with 56 additions and 1 deletions
--- a/.tcpdump.metadata
+++ b/.tcpdump.metadata
@ -0,0 +1,3 @@
+4445c159ce45fa6fd9767658918eaf59175afac3 tcpslice-1.3.tar.gz
+4348a93b47a5b35a9c04abcee4d84a04b1a681f8 tcpdump-4.99.0.tar.gz
+3fadebc3d3edaa3f4326a11864a0034ba1f2ccb7 tcpdump-4.99.0.tar.gz.sig
--- a/0012-CVE-2021-41043.patch
+++ b/0012-CVE-2021-41043.patch
@ -0,0 +1,48 @@
+From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001
+From: Denis Ovsienko <denis@ovsienko.info>
+Date: Thu, 30 Dec 2021 17:52:52 +0000
+Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice().
+
+This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
+see GitHub issue #11.
+
+In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
+which DLT to use for the output file.  This used to be the pcap_t of the
+first input file, as main() requires at least one input file.  However,
+the loop before pcap_dump_open() closes all, including the first, input
+files that don't meet a test condition.  This way, when the first file
+didn't meet the condition, the call to pcap_dump_open() would end up as
+a use-after-free.  Make the pcap_dump_open() call before the loop, when
+the first array element is always valid, and fix this problem.
+---
+diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c
+index e7b9ba8..507dd1b 100644
+--- a/tcpslice-1.3/tcpslice.c
+++ b/tcpslice-1.3/tcpslice.c
+@@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
+ 	TV_SUB(start_time, base_time, &relative_start);
+ 	TV_SUB(stop_time, base_time, &relative_stop);
+ 
+	/* Always write the output file, use the first input file's DLT. */
+	global_dumper = pcap_dump_open(states[0].p, write_file_name);
+	if (!global_dumper) {
+		error("error creating output file '%s': %s",
+		      write_file_name, pcap_geterr(states[0].p));
+	}
+
+ 	for (i = 0; i < numfiles; ++i) {
+ 		s = &states[i];
+ 
+@@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
+ 		get_next_packet(s);
+ 	}
+ 
+-	global_dumper = pcap_dump_open(states->p, write_file_name);
+-	if (!global_dumper) {
+-		error( "error creating output file %s: %s",
+-			write_file_name, pcap_geterr( states->p ) );
+-	}
+-
+ 
+ 	/*
+ 	 * Now, loop thru all the packets in all the files,
--- a/tcpdump.spec
+++ b/tcpdump.spec
@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
 Name: tcpdump
 Epoch: 14
 Version: 4.99.0
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: BSD with advertising
 URL: http://www.tcpdump.org
 Requires(pre): shadow-utils
@ -19,6 +19,7 @@ Patch0007:      0007-Introduce-nn-option.patch
 Patch0009:      0009-Change-n-flag-to-nn-in-TESTonce.patch
 Patch0010:      0010-pgm-fix-the-way-we-step-through-the-packet.patch
 Patch0011:      0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch
+Patch0012:      0012-CVE-2021-41043.patch

 %define tcpslice_dir tcpslice-1.3

@ -83,6 +84,9 @@ exit 0
 %{_mandir}/man8/tcpdump.8*

 %changelog
+* Tue Jan 16 2024 Michal Ruprich <mruprich@redhat.com> - 14:4.99.0-9
+- Resolves: RHEL-21558 - tcpslice: use-after-free in extract_slice()
+
 * Wed Nov 01 2023 Pavol Žáčik <pzacik@redhat.com> - 14:4.99.0-8
 - Resolves: RHEL-10714 - Fix PGM option printing