diff options
author | Thomas Gerbet <thomas@gerbet.me> | 2024-04-29 22:07:19 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-04-29 22:07:19 +0200 |
commit | a22ed4590f756a4a0871ae8e27f2e38256f494b1 (patch) | |
tree | 76e9c1b123dd4e6ecf8c9ced7aa023c34cc5e202 /pkgs/applications | |
parent | f44f5c9f9abe405c18a2d464786a01185a2c90bb (diff) | |
parent | 0f352261f45b1851118ee656ec724e4ddfa8c6b7 (diff) |
Merge pull request #307212 from risicle/ris-sngrep-CVE-2024-3119-CVE-2024-3120-r23.11
[23.11] sngrep: add patch for CVE-2024-3119 & CVE-2024-3120
Diffstat (limited to 'pkgs/applications')
-rw-r--r-- | pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch | 74 | ||||
-rw-r--r-- | pkgs/applications/networking/sniffers/sngrep/default.nix | 1 |
2 files changed, 75 insertions, 0 deletions
diff --git a/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch new file mode 100644 index 0000000000000..29ea997fee464 --- /dev/null +++ b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch @@ -0,0 +1,74 @@ +Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to +apply cleanly to 1.7.0 + +diff --git a/src/sip.c b/src/sip.c +index 20a2d81..f2dde5c 100644 +--- a/src/sip.c ++++ b/src/sip.c +@@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet) + uint32_t plen = packet_payloadlen(packet); + u_char payload[MAX_SIP_PAYLOAD]; + regmatch_t pmatch[4]; +- char cl_header[10]; ++ char cl_header[MAX_CONTENT_LENGTH_SIZE]; + int content_len; + int bodylen; + +@@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet) + return VALIDATE_PARTIAL_SIP; + } + +- strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so); ++ // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1 ++ int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so; ++ if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) { ++ cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1; ++ } ++ ++ strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, cl_match_len); ++ cl_header[cl_match_len] = '\0'; // Ensuring null termination ++ + content_len = atoi(cl_header); + + // Check if we have Body separator field +@@ -756,7 +764,7 @@ void + sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload) + { + regmatch_t pmatch[4]; +- char warning[10]; ++ char warning[MAX_WARNING_SIZE]; + + // Reason text + if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) { +@@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload) + + // Warning code + if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) { +- strncpy(warning, (const char *)payload + pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so); +- msg->call->warning = atoi(warning); ++ ++ // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1 ++ int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so; ++ if (warning_match_len > MAX_WARNING_SIZE - 1) { ++ warning_match_len = MAX_WARNING_SIZE - 1; ++ } ++ strncpy(warning, (const char *)payload + pmatch[1].rm_so, warning_match_len); ++ warning[warning_match_len] = '\0'; // Ensuring null termination ++ ++ msg->call->warning = atoi(warning); + } + } + +diff --git a/src/sip.h b/src/sip.h +index 78afdc2..a9fd06e 100644 +--- a/src/sip.h ++++ b/src/sip.h +@@ -45,6 +45,8 @@ + #include "hash.h" + + #define MAX_SIP_PAYLOAD 10240 ++#define MAX_CONTENT_LENGTH_SIZE 10 ++#define MAX_WARNING_SIZE 10 + + //! Shorter declaration of sip_call_list structure + typedef struct sip_call_list sip_call_list_t; diff --git a/pkgs/applications/networking/sniffers/sngrep/default.nix b/pkgs/applications/networking/sniffers/sngrep/default.nix index 36084ae3acda7..2794669111c37 100644 --- a/pkgs/applications/networking/sniffers/sngrep/default.nix +++ b/pkgs/applications/networking/sniffers/sngrep/default.nix @@ -27,6 +27,7 @@ stdenv.mkDerivation rec { url = "https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch"; hash = "sha256-g8fxvxi3d7jmZEKTbxqw29hJbm/ShsKKxstsOUGxTug="; }) + ./1.7.0-CVE-2024-3119-CVE-2024-3120.patch ]; nativeBuildInputs = [ |