[meta-oe][dunfell][PATCH] tcpdump: Add fix for CVE-2018-16301


Riyaz Ahmed Khan
 

From: Riyaz Ahmed Khan <Riyaz.Khan@...>

Add patch for CVE issue: CVE-2018-16301
Link: https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86

Upstream-Status: Pending

Issue: MGUBSYS-5370

Change-Id: I2aac084e61ba9d71ae614a97b4924eaa60328b79
Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@...>
---
.../tcpdump/tcpdump/CVE-2018-16301.patch | 111 ++++++++++++++++++
.../recipes-support/tcpdump/tcpdump_4.9.3.bb | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch

diff --git a/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
new file mode 100644
index 000000000..5f5c68ccd
--- /dev/null
+++ b/meta-networking/recipes-support/tcpdump/tcpdump/CVE-2018-16301.patch
@@ -0,0 +1,111 @@
+From 8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86 Mon Sep 17 00:00:00 2001
+From: Guy Harris <gharris@...>
+Date: Wed, 30 Sep 2020 11:37:30 -0700
+Subject: [PATCH] Handle very large -f files by rejecting them.
+
+_read(), on Windows, has a 32-bit size argument and a 32-bit return
+value, so reject -f files that have more than 2^31-1 characters.
+
+Add some #defines so that, on Windows, we use _fstati64 to get the size
+of that file, to handle large files.
+
+Don't assume that our definition for ssize_t is the same size as size_t;
+by the time we want to print the return value of the read, we know it'll
+fit into an int, so just cast it to int and print it with %d.
+
+(cherry picked from commit faf8fb70af3a013e5d662b8283dec742fd6b1a77)
+
+CVE: CVE-2022-25308
+Upstream-Status: Backport [https://github.com/the-tcpdump-group/tcpdump/commit/8ab211a7ec728bb0ad8c766c8eeb12deb0a13b86]
+
+Signed-off-by: Riyaz Ahmed Khan <Riyaz.Khan@...>
+
+---
+ netdissect-stdinc.h | 16 +++++++++++++++-
+ tcpdump.c | 15 ++++++++++++---
+ 2 files changed, 27 insertions(+), 4 deletions(-)
+
+diff --git a/netdissect-stdinc.h b/netdissect-stdinc.h
+index 8282c5846..9941c2a16 100644
+--- a/netdissect-stdinc.h
++++ b/netdissect-stdinc.h
+@@ -149,10 +149,17 @@
+ #ifdef _MSC_VER
+ #define stat _stat
+ #define open _open
+-#define fstat _fstat
+ #define read _read
+ #define close _close
+ #define O_RDONLY _O_RDONLY
++
++/*
++ * We define our_fstat64 as _fstati64, and define our_statb as
++ * struct _stati64, so we get 64-bit file sizes.
++ */
++#define our_fstat _fstati64
++#define our_statb struct _stati64
++
+ #endif /* _MSC_VER */
+
+ /*
+@@ -211,6 +218,13 @@ typedef char* caddr_t;
+
+ #include <arpa/inet.h>
+
++/*
++ * We should have large file support enabled, if it's available,
++ * so just use fstat as our_fstat and struct stat as our_statb.
++ */
++#define our_fstat fstat
++#define our_statb struct stat
++
+ #endif /* _WIN32 */
+
+ #ifndef HAVE___ATTRIBUTE__
+diff --git a/tcpdump.c b/tcpdump.c
+index 043bda1d7..8f27ba2a4 100644
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -108,6 +108,7 @@ The Regents of the University of California. All rights reserved.\n";
+ #endif /* HAVE_CAP_NG_H */
+ #endif /* HAVE_LIBCAP_NG */
+
++#include "netdissect-stdinc.h"
+ #include "netdissect.h"
+ #include "interface.h"
+ #include "addrtoname.h"
+@@ -861,15 +862,22 @@ read_infile(char *fname)
+ {
+ register int i, fd, cc;
+ register char *cp;
+- struct stat buf;
++ our_statb buf;
+
+ fd = open(fname, O_RDONLY|O_BINARY);
+ if (fd < 0)
+ error("can't open %s: %s", fname, pcap_strerror(errno));
+
+- if (fstat(fd, &buf) < 0)
++ if (our_fstat(fd, &buf) < 0)
+ error("can't stat %s: %s", fname, pcap_strerror(errno));
+
++ /*
++ * Reject files whose size doesn't fit into an int; a filter
++ * *that* large will probably be too big.
++ */
++ if (buf.st_size > INT_MAX)
++ error("%s is too large", fname);
++
+ cp = malloc((u_int)buf.st_size + 1);
+ if (cp == NULL)
+ error("malloc(%d) for %s: %s", (u_int)buf.st_size + 1,
+@@ -878,7 +886,8 @@ read_infile(char *fname)
+ if (cc < 0)
+ error("read %s: %s", fname, pcap_strerror(errno));
+ if (cc != buf.st_size)
+- error("short read %s (%d != %d)", fname, cc, (int)buf.st_size);
++ error("short read %s (%d != %d)", fname, (int) cc,
++ (int)buf.st_size);
+
+ close(fd);
+ /* replace "# comment" with spaces */
diff --git a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
index 2ea493863..66bf21775 100644
--- a/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
+++ b/meta-networking/recipes-support/tcpdump/tcpdump_4.9.3.bb
@@ -18,6 +18,7 @@ SRC_URI = " \
file://add-ptest.patch \
file://run-ptest \
file://0001-PPP-When-un-escaping-don-t-allocate-a-too-large-buff.patch \
+ file://CVE-2018-16301.patch \
"

SRC_URI[md5sum] = "a4ead41d371f91aa0a2287f589958bae"
--
2.17.1

Join openembedded-devel@lists.openembedded.org to automatically receive all group messages.