mirror of
https://git.yoctoproject.org/meta-security
synced 2026-01-11 15:00:34 +00:00
f0deac3787
Upstream-Status: Backport from [aab7f35c76,a753cdbe84,c82fa5ca0d,2bd3bd0e31] CVE's Fixed: CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
54 lines
2.0 KiB
Diff
54 lines
2.0 KiB
Diff
From a6052dca1e27f3c8f96ec7be0fe7514c56a0d56f Mon Sep 17 00:00:00 2001
|
|
From: Victor Julien <vjulien@oisf.net>
|
|
Date: Tue, 4 Jun 2024 14:43:22 +0200
|
|
Subject: [PATCH 1/4] defrag: don't use completed tracker
|
|
|
|
When a Tracker is set up for a IPID, frags come in for it and it's
|
|
reassembled and complete, the `DefragTracker::remove` flag is set. This
|
|
is mean to tell the hash cleanup code to recyle the tracker and to let
|
|
the lookup code skip the tracker during lookup.
|
|
|
|
A logic error lead to the following scenario:
|
|
|
|
1. there are sufficient frag trackers to make sure the hash table is
|
|
filled with trackers
|
|
2. frags for a Packet with IPID X are processed correctly (X1)
|
|
3. frags for a new Packet that also has IPID X come in quickly after the
|
|
first (X2).
|
|
4. during the lookup, the frag for X2 hashes to a hash row that holds
|
|
more than one tracker
|
|
5. as the trackers in hash row are evaluated, it finds the tracker for
|
|
X1, but since the `remove` bit is not checked, it is returned as the
|
|
tracker for X2.
|
|
6. reassembly fails, as the tracker is already complete
|
|
|
|
The logic error is that only for the first tracker in a row the `remove`
|
|
bit was checked, leading to reuse to a closed tracker if there were more
|
|
trackers in the hash row.
|
|
|
|
Ticket: #7042.
|
|
|
|
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b]
|
|
CVE: CVE-2024-37151
|
|
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
|
|
---
|
|
src/defrag-hash.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/defrag-hash.c b/src/defrag-hash.c
|
|
index 2f19ce2..87d40f9 100644
|
|
--- a/src/defrag-hash.c
|
|
+++ b/src/defrag-hash.c
|
|
@@ -591,7 +591,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p)
|
|
return dt;
|
|
}
|
|
|
|
- if (DefragTrackerCompare(dt, p) != 0) {
|
|
+ if (!dt->remove && DefragTrackerCompare(dt, p) != 0) {
|
|
/* we found our tracker, lets put it on top of the
|
|
* hash list -- this rewards active trackers */
|
|
if (dt->hnext) {
|
|
--
|
|
2.44.0
|
|
|