From nobody Wed Jan 29 19:33:34 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4YjslM1CVtz5lrPy; Wed, 29 Jan 2025 19:33:35 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4YjslL6Cbcz3QrT; Wed, 29 Jan 2025 19:33:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738179214; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vn5kerF7LZ1iKgic7v140wBUzHfOGXn2n0mX0bPI7H8=; b=IzwE6IU0fqLqLBeRvwdGTOlS3jkgGBxYfNd3oBaCnQwjF03dvOt4utzgEdi5p+IkG6DbUM PBWcrN8I//k8qjEUFkRdT9/biq5V1U9BvSWRhhAqM+fF2/rnRFCewDWYqIilI/cBjv73RR 7glGqID8q3jEsxmB8G2ZmIIl7e28zy4iUXUpo+huFSzvvWqNhZbFCsakbqvnNLPstDcBpy Pbtud1B+DFg2h8Rfrw384Om8tldVUMAFsHRlsWG8YgMmgHo65juUtItoB41l1rgyqJqwSc Icg6aLYI9nirixr3ahHqIyFFZfn686Y6MNO/Vcgfq8qcmCOen/3StUEYcfmC5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1738179214; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=vn5kerF7LZ1iKgic7v140wBUzHfOGXn2n0mX0bPI7H8=; b=V5UzZxh+MDGLISErkdBNZjWGea/g0lkXG4bcVtf+W2wzMzAwQp4Fo8akqANyq9ksq/qbF+ mEkUDlPjexjI29Y26h9HN7rmqBh4s5TuaObsbP0eFMwpfCVU6/e6lXLrLqPWpNMRQvJHmX BEcIInL4vavR7mKNhplvRyspdbc+1bx1hzxxOjvOMYGm5geEvkrNMxcO0K85lUIcYpiyDM H0F2vnZUNhq2985PNF/ZozUtLDQxhSS4ChoYzh0ZwDCKDNWvqZ0OVIT+3dRFeSp2A3eedA z8ckM+uQbtRIb4Z167dJ/ZqwhiqhTYyrOvaTYIMMczcv8xPAajs1DU0DEuKZrw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1738179214; a=rsa-sha256; cv=none; b=Od7ACiylUY7hWTLtP8LfRe8mFFVeqOdKwK+1IGdoYihb1AeWruA2W35mRAIdBTBWduC8so 3XBbItwjwh9cU0XfJlI26FS0YMci1IhZ2rPPXPYJL5SwQhrB8iKnv+ysRYVEUN5yM4KX2T gx3XBWusV/y7pmjS0Ev0OM6fWqREJrswZ3hHxjrTxDHQoWUJUz967od1x7eq5zs5ZxW3j6 vHupWOAWeiu4sFnIXl7azNIbmzXsVhi/lfvNpBZ1khsPUtmEgBzglQuy+f2b+7iA16FKi1 EGsjrYuVUQCC4sdgkVUW4PVxppa8cMuW902sz7CLHbkj0DjbVzMz5tEaK99rtA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4YjslL4TPpzpw; Wed, 29 Jan 2025 19:33:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 50TJXYLP039818; Wed, 29 Jan 2025 19:33:34 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 50TJXY6R039815; Wed, 29 Jan 2025 19:33:34 GMT (envelope-from git) Date: Wed, 29 Jan 2025 19:33:34 GMT Message-Id: <202501291933.50TJXY6R039815@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Joseph Mingrone Subject: git: f68d1f3ef23f - stable/13 - tcpdump: ppp: Use the buffer stack for the de-escaping buffer List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrm X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: f68d1f3ef23f4a409535051d541e8e97f45eae3c Auto-Submitted: auto-generated The branch stable/13 has been updated by jrm: URL: https://cgit.FreeBSD.org/src/commit/?id=f68d1f3ef23f4a409535051d541e8e97f45eae3c commit f68d1f3ef23f4a409535051d541e8e97f45eae3c Author: Guy Harris AuthorDate: 2024-09-03 17:11:16 +0000 Commit: Joseph Mingrone CommitDate: 2025-01-29 19:29:29 +0000 tcpdump: ppp: Use the buffer stack for the de-escaping buffer This both saves the buffer for freeing later and saves the packet pointer and snapend to be restored when packet processing is complete, even if an exception is thrown with longjmp. This means that the hex/ASCII printing in pretty_print_packet() processes the packet data as captured or read from the savefile, rather than as modified by the PPP printer, so that the bounds checking is correct. That fixes CVE-2024-2397, which was caused by an exception being thrown by the hex/ASCII printer (which should only happen if those routines are called by a packet printer, not if they're called for the -X/-x/-A flag), which jumps back to the setjmp() that surrounds the packet printer. Hilarity^Winfinite looping ensues. Also, restore ndo->ndo_packetp before calling the hex/ASCII printing routine, in case nd_pop_all_packet_info() didn't restore it. Reviewed by: emaste (cherry picked from commit f8860353d4f4c25bacdae5bc1cfb7a95edc9bfe0) --- contrib/tcpdump/print-ppp.c | 31 +++++++++++++++++-------------- contrib/tcpdump/print.c | 8 ++++++-- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/contrib/tcpdump/print-ppp.c b/contrib/tcpdump/print-ppp.c index aba243ddb6f2..e5ae0646ebae 100644 --- a/contrib/tcpdump/print-ppp.c +++ b/contrib/tcpdump/print-ppp.c @@ -42,6 +42,8 @@ #include #endif +#include + #include "netdissect.h" #include "extract.h" #include "addrtoname.h" @@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo, u_char *b, *t, c; const u_char *s; u_int i, proto; - const void *sb, *se; if (caplen == 0) return; @@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo, if (length == 0) return; - b = (u_char *)nd_malloc(ndo, caplen); - if (b == NULL) - return; + b = (u_char *)malloc(caplen); + if (b == NULL) { + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, + "%s: malloc", __func__); + } /* * Unescape all the data into a temporary, private, buffer. @@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo, } /* - * Change the end pointer, so bounds checks work. - * Change the pointer to packet data to help debugging. + * Switch to the output buffer for dissection, and save it + * on the buffer stack so it can be freed; our caller must + * pop it when done. */ - sb = ndo->ndo_packetp; - se = ndo->ndo_snapend; - ndo->ndo_packetp = b; - ndo->ndo_snapend = t; + if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) { + free(b); + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, + "%s: can't push buffer on buffer stack", __func__); + } length = ND_BYTES_AVAILABLE_AFTER(b); /* now lets guess about the payload codepoint format */ @@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo, } cleanup: - ndo->ndo_packetp = sb; - ndo->ndo_snapend = se; + nd_pop_packet_info(ndo); return; trunc: - ndo->ndo_packetp = sb; - ndo->ndo_snapend = se; + nd_pop_packet_info(ndo); nd_print_trunc(ndo); } diff --git a/contrib/tcpdump/print.c b/contrib/tcpdump/print.c index 41a6b524fbf8..96d34b772f08 100644 --- a/contrib/tcpdump/print.c +++ b/contrib/tcpdump/print.c @@ -434,10 +434,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h, nd_pop_all_packet_info(ndo); /* - * Restore the original snapend, as a printer might have - * changed it. + * Restore the originals snapend and packetp, as a printer + * might have changed them. + * + * XXX - nd_pop_all_packet_info() should have restored the + * original values, but, just in case.... */ ndo->ndo_snapend = sp + h->caplen; + ndo->ndo_packetp = sp; if (ndo->ndo_Xflag) { /* * Print the raw packet data in hex and ASCII.