tcpreplay: fix CVE-2024-22654

tcpreplay v4.4.4 was discovered to contain an infinite loop via the tcprewrite function at get.c. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-04-02 02:49:12 +00:00 · 2025-07-11 17:05:29 +05:30 · 2025-07-11 17:05:29 +05:30 · 2e921c2486
commit 2e921c2486
parent 1237560623
3 changed files with 127 additions and 0 deletions
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0001.patch
@ -0,0 +1,90 @@
+From 5b5644356693f5c68dd4295e86f24f1d0a515d60 Mon Sep 17 00:00:00 2001
+From: Fred Klassen <fred.klassen@broadcom.com>
+Date: Sat, 1 Jun 2024 11:46:10 -0700
+Subject: [PATCH 1/2] Bug #827 PR# 842: add check for IPv6 extension header
+ length
+
+CVE: CVE-2024-22654
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/5b5644356693f5c68dd4295e86f24f1d0a515d60]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 29 +++++++++++++++++++++--------
+ 1 file changed, 21 insertions(+), 8 deletions(-)
+
+diff --git a/src/common/get.c b/src/common/get.c
+index 2d91116..89fe95b 100644
+--- a/src/common/get.c
+++ b/src/common/get.c
+@@ -41,8 +41,8 @@ extern const char pcap_version[];
+ static void *get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr);
+ 
+ /**
+- * Depending on what version of libpcap/WinPcap there are different ways to get
+- * the version of the libpcap/WinPcap library.  This presents a unified way to
+ * Depending on what version of libpcap there are different ways to get
+ * the version of the libpcap library.  This presents a unified way to
+  * get that information.
+  */
+ const char *
+@@ -196,8 +196,15 @@ parse_metadata(const u_char *pktdata,
+                uint32_t *vlan_offset)
+ {
+     bool done = false;
+-    int res = 0;
+-    while (!done && res == 0) {
+    assert(next_protocol);
+    assert(l2len);
+    assert(l2offset);
+    assert(vlan_offset);
+
+    if (!pktdata || !datalen)
+        errx(-1, "parse_metadata: invalid L2 parameters: pktdata=0x%p len=%d", pktdata, datalen);
+
+    while (!done) {
+         switch (*next_protocol) {
+         case ETHERTYPE_VLAN:
+         case ETHERTYPE_Q_IN_Q:
+@@ -205,18 +212,22 @@ parse_metadata(const u_char *pktdata,
+             if (*vlan_offset == 0)
+                 *vlan_offset = *l2len;
+ 
+-            res = parse_vlan(pktdata, datalen, next_protocol, l2len);
+            if (parse_vlan(pktdata, datalen, next_protocol, l2len))
+                return -1;
+
+             break;
+         case ETHERTYPE_MPLS:
+         case ETHERTYPE_MPLS_MULTI:
+-            res = parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset);
+            if (parse_mpls(pktdata, datalen, next_protocol, l2len, l2offset))
+                return -1;
+
+             break;
+         default:
+             done = true;
+         }
+     }
+ 
+-    return res;
+    return 0;
+ }
+ 
+ /*
+@@ -605,9 +616,11 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, const u_char *end_ptr)
+          * no further processing, either TCP, UDP, ICMP, etc...
+          */
+         default:
+-            if (proto != ip6_hdr->ip_nh) {
+            if (proto != ip6_hdr->ip_nh && next) {
+                 dbgx(3, "Returning byte offset of this ext header: %u", IPV6_EXTLEN_TO_BYTES(next->ip_len));
+                 next = (void *)((u_char *)next + IPV6_EXTLEN_TO_BYTES(next->ip_len));
+                if ((u_char*)next > end_ptr)
+                    return NULL;
+             } else {
+                 dbgx(3, "%s", "Returning end of IPv6 Header");
+             }
+-- 
+2.40.0
+
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2024-22654-0002.patch
@ -0,0 +1,35 @@
+From 52ed63329b37ae83cb86504db2c9deb6a91e2fe9 Mon Sep 17 00:00:00 2001
+From: Gabriel Ganne <gabriel.ganne@gmail.com>
+Date: Sun, 21 Jan 2024 08:59:10 +0100
+Subject: [PATCH 2/2] ipv6 - add check for extension header length
+
+Fixes #827
+
+Signed-off-by: Gabriel Ganne <gabriel.ganne@gmail.com>
+
+CVE: CVE-2024-22654
+
+Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/52ed63329b37ae83cb86504db2c9deb6a91e2fe9]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ src/common/get.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/common/get.c b/src/common/get.c
+index 89fe95b..c31de5d 100644
+--- a/src/common/get.c
+++ b/src/common/get.c
+@@ -676,6 +676,10 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr)
+     case TCPR_IPV6_NH_HBH:
+     case TCPR_IPV6_NH_AH:
+         extlen = IPV6_EXTLEN_TO_BYTES(exthdr->ip_len);
+        if (extlen == 0) {
+            dbg(3, "Malformed IPv6 extension header...");
+            return NULL;
+        }
+         dbgx(3,
+              "Looks like we're an ext header (0x%hhx).  Jumping %u bytes"
+              " to the next",
+--
+2.40.0
--- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
+++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
@ -9,6 +9,8 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE;md5=10f0474a2f0e5dccfca20f69d6598ad8"

 SRC_URI = "https://github.com/appneta/tcpreplay/releases/download/v${PV}/tcpreplay-${PV}.tar.gz \
           file://CVE-2023-4256.patch \
+           file://CVE-2024-22654-0001.patch \
+           file://CVE-2024-22654-0002.patch \
 "

 SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"