From nobody Tue Sep 03 17:26:28 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Wysx0617Rz5TdJ8; Tue, 03 Sep 2024 17:26:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Wysx05NL9z48Tw; Tue, 3 Sep 2024 17:26:28 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725384388; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=POVZ7kWX0uwzzchC/EHySaS9srtySBDfASG0Vjf1nZw=; b=dG5t4s7unSXfSW5HSR5k/hY/YFfKqQKs4INPE5Gil8VlAYWKQxxksOPQCubHW69WTIM5LK 5cynN/DeXgeXZPWlWcDWrIkje1uGgYbvD68a9QnSz2qbqAzU/qBWYc8V56iFf1lCyRUxTa H1UieAQ0/3ll1T9XxnxPFRyBpKbYSaxluZ7Y/Yne6XKtCRwtCEJ7+lPuxUe7srK0t4e9ln NQVlOZ1Q7Rjti5OseZ32o8C7Fd0Yqc2h2fKRRYzrhX4+/v/nvGkEq/dCzaW2INVb7YYt0s oI63JlDAgeJExPEUOJNqnZL4H3hyZ418y8BDxhblW3u3+LHw0/iVKJvY/4YE3Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1725384388; a=rsa-sha256; cv=none; b=yfRmAAV6HhOVPl45fRq5SAAMtZlw5fDwcm8oNuVw+hQKjwRjV0FFzE+m0en2iNuY+Jx4bq VCctshHkqiADwgi+A1syyuYcYwPHZfQoIhpmzzXRV38bJsBL/MHTnjCPPGcOW+WYHsDCAj okgiSdH0Jlq4Bg5krj1juaiF9svIyTP904Cw+rfTQ8cA2SXCkxhGi518UuNXVQ3ST81QEs Fu+7adwvrilYGdZCT64w0Tik3IDZdOupH/xCCwEq78KOkvgpZKw8jflzQQmCG+fWWW2+Ti K04eccdyjarJLiUJ1NtGoavwRO39683PoUkbw0qLxE1w3Hqs7k2AYM5Ch9Qi1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1725384388; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=POVZ7kWX0uwzzchC/EHySaS9srtySBDfASG0Vjf1nZw=; b=qXvFx11PB4eikO0Ezn80an2uUKjvmhOCfpMWtCJz++LLaonTRzOajD+w+e8LA1F4nBbOHi awQ6Ji4QXJNBDZo6EZWIREo67CV94XXlZzDe3rkBFmgb8dvkMBw33HGyxwoW20AmM2CaVR fPeQru8RCkq51HG9y+vxWsgb2xXedj0/mgRCKFdqx4tjGzYUw6jv3ryc7pT8tiDYN3eu1j 5JM5X0vKXo3vGR6OlrBIj5LSUqLzk6YoovIBnA3aEw/6LdcPiJRy3XId2TnLbDFjY4Vqr4 OzURY6Wn/8PauBhCEp42wJLlgFgqHakYt3Rg7iFlEEkVamiqK17ilpcXVxGZlA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Wysx04zXNzqVN; Tue, 3 Sep 2024 17:26:28 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 483HQSL9027177; Tue, 3 Sep 2024 17:26:28 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 483HQS5l027174; Tue, 3 Sep 2024 17:26:28 GMT (envelope-from git) Date: Tue, 3 Sep 2024 17:26:28 GMT Message-Id: <202409031726.483HQS5l027174@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Joseph Mingrone Subject: git: f8860353d4f4 - main - tcpdump: ppp: Use the buffer stack for the de-escaping buffer List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jrm X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f8860353d4f4c25bacdae5bc1cfb7a95edc9bfe0 Auto-Submitted: auto-generated The branch main has been updated by jrm: URL: https://cgit.FreeBSD.org/src/commit/?id=f8860353d4f4c25bacdae5bc1cfb7a95edc9bfe0 commit f8860353d4f4c25bacdae5bc1cfb7a95edc9bfe0 Author: Guy Harris AuthorDate: 2024-09-03 17:11:16 +0000 Commit: Joseph Mingrone CommitDate: 2024-09-03 17:24:16 +0000 tcpdump: ppp: Use the buffer stack for the de-escaping buffer This both saves the buffer for freeing later and saves the packet pointer and snapend to be restored when packet processing is complete, even if an exception is thrown with longjmp. This means that the hex/ASCII printing in pretty_print_packet() processes the packet data as captured or read from the savefile, rather than as modified by the PPP printer, so that the bounds checking is correct. That fixes CVE-2024-2397, which was caused by an exception being thrown by the hex/ASCII printer (which should only happen if those routines are called by a packet printer, not if they're called for the -X/-x/-A flag), which jumps back to the setjmp() that surrounds the packet printer. Hilarity^Winfinite looping ensues. Also, restore ndo->ndo_packetp before calling the hex/ASCII printing routine, in case nd_pop_all_packet_info() didn't restore it. Reviewed by: emaste --- contrib/tcpdump/print-ppp.c | 31 +++++++++++++++++-------------- contrib/tcpdump/print.c | 8 ++++++-- 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/contrib/tcpdump/print-ppp.c b/contrib/tcpdump/print-ppp.c index aba243ddb6f2..e5ae0646ebae 100644 --- a/contrib/tcpdump/print-ppp.c +++ b/contrib/tcpdump/print-ppp.c @@ -42,6 +42,8 @@ #include #endif +#include + #include "netdissect.h" #include "extract.h" #include "addrtoname.h" @@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo, u_char *b, *t, c; const u_char *s; u_int i, proto; - const void *sb, *se; if (caplen == 0) return; @@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo, if (length == 0) return; - b = (u_char *)nd_malloc(ndo, caplen); - if (b == NULL) - return; + b = (u_char *)malloc(caplen); + if (b == NULL) { + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, + "%s: malloc", __func__); + } /* * Unescape all the data into a temporary, private, buffer. @@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo, } /* - * Change the end pointer, so bounds checks work. - * Change the pointer to packet data to help debugging. + * Switch to the output buffer for dissection, and save it + * on the buffer stack so it can be freed; our caller must + * pop it when done. */ - sb = ndo->ndo_packetp; - se = ndo->ndo_snapend; - ndo->ndo_packetp = b; - ndo->ndo_snapend = t; + if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) { + free(b); + (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC, + "%s: can't push buffer on buffer stack", __func__); + } length = ND_BYTES_AVAILABLE_AFTER(b); /* now lets guess about the payload codepoint format */ @@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo, } cleanup: - ndo->ndo_packetp = sb; - ndo->ndo_snapend = se; + nd_pop_packet_info(ndo); return; trunc: - ndo->ndo_packetp = sb; - ndo->ndo_snapend = se; + nd_pop_packet_info(ndo); nd_print_trunc(ndo); } diff --git a/contrib/tcpdump/print.c b/contrib/tcpdump/print.c index 41a6b524fbf8..96d34b772f08 100644 --- a/contrib/tcpdump/print.c +++ b/contrib/tcpdump/print.c @@ -434,10 +434,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h, nd_pop_all_packet_info(ndo); /* - * Restore the original snapend, as a printer might have - * changed it. + * Restore the originals snapend and packetp, as a printer + * might have changed them. + * + * XXX - nd_pop_all_packet_info() should have restored the + * original values, but, just in case.... */ ndo->ndo_snapend = sp + h->caplen; + ndo->ndo_packetp = sp; if (ndo->ndo_Xflag) { /* * Print the raw packet data in hex and ASCII.