tcpreplay: fix CVE-2025-51006

Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the dlt_linuxsll2_cleanup() function in plugins/dlt_linuxsll2/linuxsll2.c. This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly invokes the cleanup routine multiple times on the same memory region. By supplying a specifically crafted pcap file to the tcprewrite binary, a local attacker can exploit this flaw to cause a Denial of Service (DoS) via memory corruption. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-04-02 02:49:12 +00:00 · 2025-09-25 14:49:52 +05:30 · 2025-09-25 14:49:52 +05:30 · 0a2ce1c4dd
commit 0a2ce1c4dd
parent cb4570120b
2 changed files with 98 additions and 0 deletions
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
@ -0,0 +1,97 @@
+From 868db118535a646a8a48c957f1e6367069be1aa7 Mon Sep 17 00:00:00 2001
+From: Fred Klassen <fred.klassen@broadcom.com>
+Date: Wed, 9 Jul 2025 21:01:12 -0700
+Subject: [PATCH] Bug #902 juniper: added safeguards Protect against invalid or
+ unsupported Juniper packets.
+
+Notes:
+
+- only Ethernet packets are currently supported
+- was unable to recreate the original bug, but areas where hardening was required
+
+CVE: CVE-2025-51006
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/868db118535a646a8a48c957f1e6367069be1aa7]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ .../plugins/dlt_jnpr_ether/jnpr_ether.c       | 33 +++++++++++++++++--
+ .../plugins/dlt_jnpr_ether/jnpr_ether.h       |  2 ++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+index 9642a2c..671d5c0 100644
+--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
+@@ -202,8 +202,12 @@ dlt_jnpr_ether_parse_opts(tcpeditdlt_t *ctx)
+ int
+ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+ {
+    int extensions_len = 0;
+     int jnpr_header_len = 0;
+     const u_char *ethernet = NULL;
+    const u_char *extension;
+    u_char dlt = 0;
+    u_char encapsulation = 0;
+     jnpr_ether_config_t *config;
+
+     assert(ctx);
+@@ -228,9 +232,10 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+     }
+
+     /* then get the Juniper header length */
+-    memcpy(&jnpr_header_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
+    memcpy(&extensions_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
+
+-    jnpr_header_len = ntohs(jnpr_header_len) + JUNIPER_ETHER_HEADER_LEN;
+    extensions_len = ntohs(extensions_len);
+    jnpr_header_len = extensions_len + JUNIPER_ETHER_HEADER_LEN;
+
+     dbgx(1, "jnpr header len: %d", jnpr_header_len);
+     /* make sure the packet is big enough to find the Ethernet Header */
+@@ -245,6 +250,30 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
+     /* jump to the appropriate offset */
+     ethernet = packet + jnpr_header_len;
+
+    /* parse the extension header to ensure this is Ethernet - the only DLT we currently support */
+    extension = packet + JUNIPER_ETHER_HEADER_LEN;
+    while (extension  < ethernet - 2) {
+        u_char ext_len = extension[1];
+        if (extension[0] == JUNIPER_ETHER_EXT_MEDIA_TYPE)
+            dlt = extension[2];
+        else if (extension[0] == JUNIPER_ETHER_EXT_ENCAPSULATION)
+            encapsulation = extension[2];
+        if (dlt != 0 && encapsulation != 0)
+            break;
+        extension += ext_len + 2;
+    }
+
+    if (extension > ethernet) {
+        tcpedit_seterr(ctx->tcpedit, "Extension to long! %d", extension - ethernet);
+        return TCPEDIT_ERROR;
+    }
+
+    if (dlt != DLT_EN10MB || encapsulation != 14) {
+        tcpedit_setwarn(ctx->tcpedit, "packet DLT %d and extension type %d not supported",
+            dlt, extension);
+        return TCPEDIT_WARN;
+    }
+
+     /* let the en10mb plugin decode the rest */
+     if (tcpedit_dlt_decode(config->subctx, ethernet, (pktlen - jnpr_header_len)) == TCPEDIT_ERROR)
+         return TCPEDIT_ERROR;
+diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+index 4875350..90c12b4 100644
+--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
+@@ -33,6 +33,8 @@ extern "C" {
+ #define JUNIPER_ETHER_L2PRESENT 0x80
+ #define JUNIPER_ETHER_DIRECTION 0x01
+ #define JUNIPER_ETHER_EXTLEN_OFFSET 4
+#define JUNIPER_ETHER_EXT_MEDIA_TYPE 3
+#define JUNIPER_ETHER_EXT_ENCAPSULATION 6
+
+ int dlt_jnpr_ether_register(tcpeditdlt_t *ctx);
+ int dlt_jnpr_ether_init(tcpeditdlt_t *ctx);
+--
+2.40.0
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@ -17,6 +17,7 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
    file://CVE-2024-22654-0002.patch \
    file://CVE-2025-9157.patch \
    file://CVE-2025-9384.patch \
+    file://CVE-2025-51006.patch \
 "

 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"