[oe] [meta-oe][warrior][PATCH] tcpdump: Fix CVE-2017-16808

akuster808 akuster808 at gmail.com
Mon Sep 16 19:33:21 UTC 2019 


On 9/16/19 12:04 PM, Peiran Hong wrote:
> Backport selected parts of three upstream commits to fix
> CVE-2017-16808 where tcpdump 4.9.2 has a heap-based buffer over-read.
>
> Upstream-Status: Backport
> [ several ]
>
> Upstream commits fully backported:
> 46aead6  [CVE-2017-16808/AoE: Add a missing bounds check]
>
> Upstream commits partially backported:
> 7068209  [Use nd_ types in 802.x and FDDI headers.]
> 84ef17a  [Replace ND_TTEST2()/ND_TCHECK2() macros by macros using
> pointers (1/n)]
>
> 46aead6 fixes the vulnerability and requires two macros defined in
> 7068209 and 84ef17a, which are committed after the release of 4.9.2.
> Only the definition of the macros are taken from the two commits
> as they impact a wide range of code and are difficult to integrate.
>
> CVE: CVE-2017-16808
the backport from master is already sitting in my stable/warrior-nmut
which is under review.  I will check if that and this request are the same.

thanks for the formal request.

-armin

>
> Signed-off-by: Peiran Hong <peiran.hong at windriver.com>
> Signed-off-by: Khem Raj <raj.khem at gmail.com>
> ---
>  ...16808-AoE-Add-a-missing-bounds-check.patch | 61 +++++++++++++++++++
>  .../recipes-support/tcpdump/tcpdump_4.9.2.bb  |  1 +
>  2 files changed, 62 insertions(+)
>  create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
>
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
> new file mode 100644
> index 000000000..919f2b009
> --- /dev/null
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump/0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch
> @@ -0,0 +1,61 @@
> +From c45443a0d3e16b92622bea6b589e5930e8f0d815 Mon Sep 17 00:00:00 2001
> +From: Peiran Hong <peiran.hong at windriver.com>
> +Date: Fri, 13 Sep 2019 17:02:57 -0400
> +Subject: [PATCH] CVE-2017-16808/AoE: Add a missing bounds check.
> +
> +---
> + netdissect.h | 12 ++++++++++++
> + print-aoe.c  |  1 +
> + 2 files changed, 13 insertions(+)
> +
> +diff --git a/netdissect.h b/netdissect.h
> +index 089b0406..cd05fdb9 100644
> +--- a/netdissect.h
> ++++ b/netdissect.h
> +@@ -69,6 +69,11 @@ typedef struct {
> + typedef unsigned char nd_uint8_t;
> + typedef signed char nd_int8_t;
> + 
> ++/*
> ++ * Use this for MAC addresses.
> ++ */
> ++#define MAC_ADDR_LEN    6               /* length of MAC addresses */
> ++
> + /* snprintf et al */
> + 
> + #include <stdarg.h>
> +@@ -309,12 +314,19 @@ struct netdissect_options {
> + 	((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \
> +          (uintptr_t)&(var) <= (uintptr_t)ndo->ndo_snapend - (l)))
> + 
> ++#define ND_TTEST_LEN(p, l) \
> ++  (IS_NOT_NEGATIVE(l) && \
> ++        ((uintptr_t)ndo->ndo_snapend - (l) <= (uintptr_t)ndo->ndo_snapend && \
> ++         (uintptr_t)(p) <= (uintptr_t)ndo->ndo_snapend - (l)))
> ++
> + /* True if "var" was captured */
> + #define ND_TTEST(var) ND_TTEST2(var, sizeof(var))
> + 
> + /* Bail if "l" bytes of "var" were not captured */
> + #define ND_TCHECK2(var, l) if (!ND_TTEST2(var, l)) goto trunc
> + 
> ++#define ND_TCHECK_LEN(p, l) if (!ND_TTEST_LEN(p, l)) goto trunc
> ++
> + /* Bail if "var" was not captured */
> + #define ND_TCHECK(var) ND_TCHECK2(var, sizeof(var))
> + 
> +diff --git a/print-aoe.c b/print-aoe.c
> +index 97e93df2..ac097a04 100644
> +--- a/print-aoe.c
> ++++ b/print-aoe.c
> +@@ -325,6 +325,7 @@ aoev1_reserve_print(netdissect_options *ndo,
> + 		goto invalid;
> + 	/* addresses */
> + 	for (i = 0; i < nmacs; i++) {
> ++		ND_TCHECK_LEN(cp, MAC_ADDR_LEN);
> + 		ND_PRINT((ndo, "\n\tEthernet Address %u: %s", i, etheraddr_string(ndo, cp)));
> + 		cp += ETHER_ADDR_LEN;
> + 	}
> +-- 
> +2.21.0
> +
> diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb
> index 038c1617f..9bd861cd4 100644
> --- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb
> +++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.2.bb
> @@ -12,6 +12,7 @@ SRC_URI = " \
>      file://avoid-absolute-path-when-searching-for-libdlpi.patch \
>      file://add-ptest.patch \
>      file://run-ptest \
> +    file://0001-CVE-2017-16808-AoE-Add-a-missing-bounds-check.patch \
>  "
>  
>  SRC_URI[md5sum] = "9bbc1ee33dab61302411b02dd0515576"

More information about the Openembedded-devel mailing list