From 0f352261f45b1851118ee656ec724e4ddfa8c6b7 Mon Sep 17 00:00:00 2001 From: Robert Scott Date: Sat, 27 Apr 2024 13:20:36 +0100 Subject: sngrep: add patch for CVE-2024-3119 & CVE-2024-3120 --- .../sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch | 74 ++++++++++++++++++++++ .../networking/sniffers/sngrep/default.nix | 1 + 2 files changed, 75 insertions(+) create mode 100644 pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch diff --git a/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch new file mode 100644 index 0000000000000..29ea997fee464 --- /dev/null +++ b/pkgs/applications/networking/sniffers/sngrep/1.7.0-CVE-2024-3119-CVE-2024-3120.patch @@ -0,0 +1,74 @@ +Based on upstream dd5fec92730562af6f96891291cd4e102b80bfcc, adjusted to +apply cleanly to 1.7.0 + +diff --git a/src/sip.c b/src/sip.c +index 20a2d81..f2dde5c 100644 +--- a/src/sip.c ++++ b/src/sip.c +@@ -264,7 +264,7 @@ sip_validate_packet(packet_t *packet) + uint32_t plen = packet_payloadlen(packet); + u_char payload[MAX_SIP_PAYLOAD]; + regmatch_t pmatch[4]; +- char cl_header[10]; ++ char cl_header[MAX_CONTENT_LENGTH_SIZE]; + int content_len; + int bodylen; + +@@ -291,7 +291,15 @@ sip_validate_packet(packet_t *packet) + return VALIDATE_PARTIAL_SIP; + } + +- strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, (int)pmatch[2].rm_eo - pmatch[2].rm_so); ++ // Ensure the copy length does not exceed MAX_CONTENT_LENGTH_SIZE - 1 ++ int cl_match_len = pmatch[2].rm_eo - pmatch[2].rm_so; ++ if (cl_match_len > MAX_CONTENT_LENGTH_SIZE - 1) { ++ cl_match_len = MAX_CONTENT_LENGTH_SIZE - 1; ++ } ++ ++ strncpy(cl_header, (const char *)payload + pmatch[2].rm_so, cl_match_len); ++ cl_header[cl_match_len] = '\0'; // Ensuring null termination ++ + content_len = atoi(cl_header); + + // Check if we have Body separator field +@@ -756,7 +764,7 @@ void + sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload) + { + regmatch_t pmatch[4]; +- char warning[10]; ++ char warning[MAX_WARNING_SIZE]; + + // Reason text + if (regexec(&calls.reg_reason, (const char *)payload, 2, pmatch, 0) == 0) { +@@ -766,8 +774,16 @@ sip_parse_extra_headers(sip_msg_t *msg, const u_char *payload) + + // Warning code + if (regexec(&calls.reg_warning, (const char *)payload, 2, pmatch, 0) == 0) { +- strncpy(warning, (const char *)payload + pmatch[1].rm_so, (int)pmatch[1].rm_eo - pmatch[1].rm_so); +- msg->call->warning = atoi(warning); ++ ++ // Ensure the copy length does not exceed MAX_WARNING_SIZE - 1 ++ int warning_match_len = pmatch[1].rm_eo - pmatch[1].rm_so; ++ if (warning_match_len > MAX_WARNING_SIZE - 1) { ++ warning_match_len = MAX_WARNING_SIZE - 1; ++ } ++ strncpy(warning, (const char *)payload + pmatch[1].rm_so, warning_match_len); ++ warning[warning_match_len] = '\0'; // Ensuring null termination ++ ++ msg->call->warning = atoi(warning); + } + } + +diff --git a/src/sip.h b/src/sip.h +index 78afdc2..a9fd06e 100644 +--- a/src/sip.h ++++ b/src/sip.h +@@ -45,6 +45,8 @@ + #include "hash.h" + + #define MAX_SIP_PAYLOAD 10240 ++#define MAX_CONTENT_LENGTH_SIZE 10 ++#define MAX_WARNING_SIZE 10 + + //! Shorter declaration of sip_call_list structure + typedef struct sip_call_list sip_call_list_t; diff --git a/pkgs/applications/networking/sniffers/sngrep/default.nix b/pkgs/applications/networking/sniffers/sngrep/default.nix index 36084ae3acda7..2794669111c37 100644 --- a/pkgs/applications/networking/sniffers/sngrep/default.nix +++ b/pkgs/applications/networking/sniffers/sngrep/default.nix @@ -27,6 +27,7 @@ stdenv.mkDerivation rec { url = "https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc.patch"; hash = "sha256-g8fxvxi3d7jmZEKTbxqw29hJbm/ShsKKxstsOUGxTug="; }) + ./1.7.0-CVE-2024-3119-CVE-2024-3120.patch ]; nativeBuildInputs = [ -- cgit 1.4.1