rpms/tcpdump
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-21558 - tcpslice: use-after-free in extract_slice()

Browse Source
This commit is contained in:
Michal Ruprich 2024-01-18 10:56:55 +01:00
parent 1e9438a463
commit aefd74dff4
2 changed files with 53 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
0012-CVE-2021-41043.patch Normal file
View File

@ -0,0 +1,48 @@
From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Thu, 30 Dec 2021 17:52:52 +0000
Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice().
This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
see GitHub issue #11.
In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
which DLT to use for the output file. This used to be the pcap_t of the
first input file, as main() requires at least one input file. However,
the loop before pcap_dump_open() closes all, including the first, input
files that don't meet a test condition. This way, when the first file
didn't meet the condition, the call to pcap_dump_open() would end up as
a use-after-free. Make the pcap_dump_open() call before the loop, when
the first array element is always valid, and fix this problem.
---
diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c
index e7b9ba8..507dd1b 100644
--- a/tcpslice-1.3/tcpslice.c
+++ b/tcpslice-1.3/tcpslice.c
@@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
TV_SUB(start_time, base_time, &relative_start);
TV_SUB(stop_time, base_time, &relative_stop);
+ /* Always write the output file, use the first input file's DLT. */
+ global_dumper = pcap_dump_open(states[0].p, write_file_name);
+ if (!global_dumper) {
+ error("error creating output file '%s': %s",
+ write_file_name, pcap_geterr(states[0].p));
+ }
+
for (i = 0; i < numfiles; ++i) {
s = &states[i];
@@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
get_next_packet(s);
}
- global_dumper = pcap_dump_open(states->p, write_file_name);
- if (!global_dumper) {
- error( "error creating output file %s: %s",
- write_file_name, pcap_geterr( states->p ) );
- }
-
/*
* Now, loop thru all the packets in all the files,

6
tcpdump.spec
View File

@ -2,7 +2,7 @@ Summary: A network traffic monitoring tool
Name: tcpdump Name: tcpdump
Epoch: 14 Epoch: 14
Version: 4.99.0 Version: 4.99.0
Release: 8%{?dist} Release: 9%{?dist}
License: BSD with advertising License: BSD with advertising
URL: http://www.tcpdump.org URL: http://www.tcpdump.org
Requires(pre): shadow-utils Requires(pre): shadow-utils
@ -19,6 +19,7 @@ Patch0007: 0007-Introduce-nn-option.patch
Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch Patch0009: 0009-Change-n-flag-to-nn-in-TESTonce.patch
Patch0010: 0010-pgm-fix-the-way-we-step-through-the-packet.patch Patch0010: 0010-pgm-fix-the-way-we-step-through-the-packet.patch
Patch0011: 0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch Patch0011: 0011-pgm-don-t-advance-bp-by-the-option-haeder-length-twi.patch
Patch0012: 0012-CVE-2021-41043.patch
%define tcpslice_dir tcpslice-1.3 %define tcpslice_dir tcpslice-1.3
@ -83,6 +84,9 @@ exit 0
%{_mandir}/man8/tcpdump.8* %{_mandir}/man8/tcpdump.8*
%changelog %changelog
* Tue Jan 16 2024 Michal Ruprich <mruprich@redhat.com> - 14:4.99.0-9
- Resolves: RHEL-21558 - tcpslice: use-after-free in extract_slice()
* Wed Nov 01 2023 Pavol Žáčik <pzacik@redhat.com> - 14:4.99.0-8 * Wed Nov 01 2023 Pavol Žáčik <pzacik@redhat.com> - 14:4.99.0-8
- Resolves: RHEL-10714 - Fix PGM option printing - Resolves: RHEL-10714 - Fix PGM option printing