Merge pull request #307212 from risicle/ris-sngrep-CVE-2024-3119-CVE-2024-3120-r23.11

[23.11] sngrep: add patch for CVE-2024-3119 & CVE-2024-3120

2 files changed, 75 insertions, 0 deletions

diff --git a/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch
new file mode 100644
index 0000000000000..29ea997fee464
--- /dev/null
+++ b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch
@@ -0,0 +1,74 @@
+Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to
+apply cleanly to 1.7.0
+
+diff --git a/src/sip.c b/src/sip.c
+index 20a2d81..f2dde5c 100644
+--- a/src/sip.c
++++ b/src/sip.c
+@@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet)
+     uint32_t plen = packet_payloadlen(packet);
+     u_char payload[MAX_SIP_PAYLOAD];
+     regmatch_t pmatch[4];
+-    char cl_header[10];
++    char cl_header[MAX_CONTENT_LENGTH_SIZE];
+     int content_len;
+     int bodylen;
+ 
+@@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet)
+         return VALIDATE_PARTIAL_SIP;
+     }
+ 
+-    strncpy(cl_header, (const char *)payload +  pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so);
++    // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1
++    int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so;
++    if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) {
++        cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1;
++    }
++
++    strncpy(cl_header, (const char *)payload +  pmatch[2].rm_so, cl_match_len);
++    cl_header[cl_match_len] = '\0'; // Ensuring null termination
++
+     content_len = atoi(cl_header);
+ 
+     // Check if we have Body separator field
+@@ -756,7 +764,7 @@ void
+ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
+ {
+     regmatch_t pmatch[4];
+-    char warning[10];
++    char warning[MAX_WARNING_SIZE];
+ 
+      // Reason text
+      if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) {
+@@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload)
+ 
+      // Warning code
+      if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) {
+-         strncpy(warning, (const char *)payload +  pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so);
+-         msg->call->warning = atoi(warning);
++
++        // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1
++        int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so;
++        if (warning_match_len > MAX_WARNING_SIZE - 1) {
++            warning_match_len = MAX_WARNING_SIZE - 1;
++        }
++        strncpy(warning, (const char *)payload +  pmatch[1].rm_so, warning_match_len);
++        warning[warning_match_len] = '\0'; // Ensuring null termination
++
++        msg->call->warning = atoi(warning);
+      }
+ }
+ 
+diff --git a/src/sip.h b/src/sip.h
+index 78afdc2..a9fd06e 100644
+--- a/src/sip.h
++++ b/src/sip.h
+@@ -45,6 +45,8 @@
+ #include "hash.h"
+ 
+ #define MAX_SIP_PAYLOAD 10240
++#define MAX_CONTENT_LENGTH_SIZE 10
++#define MAX_WARNING_SIZE 10
+ 
+ //! Shorter declaration of sip_call_list structure
+ typedef struct sip_call_list sip_call_list_t;
diff --git a/pkgs/applications/networking/sniffers/sngrep/default.nix b/pkgs/applications/networking/sniffers/sngrep/default.nix
index 36084ae3acda7..2794669111c37 100644
--- a/pkgs/applications/networking/sniffers/sngrep/default.nix
+++ b/pkgs/applications/networking/sniffers/sngrep/default.nix
@@ -27,6 +27,7 @@ stdenv.mkDerivation rec {
       url = "https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch";
       hash = "sha256-g8fxvxi3d7jmZEKTbxqw29hJbm/ShsKKxstsOUGxTug=";
     })
+    ./1.7.0-CVE-2024-3119-CVE-2024-3120.patch
   ];
 
   nativeBuildInputs = [