tcpdump/SOURCES/0012-CVE-2021-41043.patch

From 030859fce9c77417de657b9bb29c0f78c2d68f4a Mon Sep 17 00:00:00 2001
From: Denis Ovsienko <denis@ovsienko.info>
Date: Thu, 30 Dec 2021 17:52:52 +0000
Subject: [PATCH] CVE-2021-41043: Fix a use-after-free in extract_slice().

This issue was discovered by Mohammad Hosein Askari (@C0NSTANTINE110),
see GitHub issue #11.

In extract_slice() pcap_dump_open() takes a pcap_t argument to tell
which DLT to use for the output file.  This used to be the pcap_t of the
first input file, as main() requires at least one input file.  However,
the loop before pcap_dump_open() closes all, including the first, input
files that don't meet a test condition.  This way, when the first file
didn't meet the condition, the call to pcap_dump_open() would end up as
a use-after-free.  Make the pcap_dump_open() call before the loop, when
the first array element is always valid, and fix this problem.
---
diff --git a/tcpslice-1.3/tcpslice.c b/tcpslice-1.3/tcpslice.c
index e7b9ba8..507dd1b 100644
--- a/tcpslice-1.3/tcpslice.c
+++ b/tcpslice-1.3/tcpslice.c
@@ -838,6 +838,13 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
 	TV_SUB(start_time, base_time, &relative_start);
 	TV_SUB(stop_time, base_time, &relative_stop);
 
+	/* Always write the output file, use the first input file's DLT. */
+	global_dumper = pcap_dump_open(states[0].p, write_file_name);
+	if (!global_dumper) {
+		error("error creating output file '%s': %s",
+		      write_file_name, pcap_geterr(states[0].p));
+	}
+
 	for (i = 0; i < numfiles; ++i) {
 		s = &states[i];
 
@@ -876,12 +883,6 @@ extract_slice(struct state *states, int numfiles, const char *write_file_name,
 		get_next_packet(s);
 	}
 
-	global_dumper = pcap_dump_open(states->p, write_file_name);
-	if (!global_dumper) {
-		error( "error creating output file %s: %s",
-			write_file_name, pcap_geterr( states->p ) );
-	}
-
 
 	/*
 	 * Now, loop thru all the packets in all the files,