From: Archana Polampalli <[email protected]> A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da. Applying a patch is advised to resolve this issue.
Signed-off-by: Archana Polampalli <[email protected]> Signed-off-by: Gyorgy Sarvari <[email protected]> (cherry picked from commit 0538af085a47b038e369db9872ffed8945b200c2) Signed-off-by: Ankur Tyagi <[email protected]> --- .../tcpreplay/tcpreplay/CVE-2025-9157.patch | 44 +++++++++++++++++++ .../tcpreplay/tcpreplay_4.4.4.bb | 1 + 2 files changed, 45 insertions(+) create mode 100644 meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch new file mode 100644 index 0000000000..e52ec0dffc --- /dev/null +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-9157.patch @@ -0,0 +1,44 @@ +From 73008f261f1cdf7a1087dc8759115242696d35da Mon Sep 17 00:00:00 2001 +From: Fred Klassen <[email protected]> +Date: Mon, 18 Aug 2025 18:35:16 -0700 +Subject: [PATCH] Bug #970 tcprewrite: --fixlen: do not use realloc + +No need to realloc if buffer is already proven to be big enough. + +CVE: CVE-2025-9157 + +Upstream-Status: Backport [https://github.com/appneta/tcpreplay/commit/73008f261f1cdf7a1087dc8759115242696d35da] + +Signed-off-by: Archana Polampalli <[email protected]> +--- + src/tcpedit/edit_packet.c | 1 - + src/tcprewrite.c | 2 ++ + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/tcpedit/edit_packet.c b/src/tcpedit/edit_packet.c +index 1025ff9..f9ade8f 100644 +--- a/src/tcpedit/edit_packet.c ++++ b/src/tcpedit/edit_packet.c +@@ -558,7 +558,6 @@ untrunc_packet(tcpedit_t *tcpedit, + * which seems like a corrupted pcap + */ + if (pkthdr->len > pkthdr->caplen) { +- packet = safe_realloc(packet, pkthdr->len + PACKET_HEADROOM); + memset(packet + pkthdr->caplen, '\0', pkthdr->len - pkthdr->caplen); + pkthdr->caplen = pkthdr->len; + } else if (pkthdr->len < pkthdr->caplen) { +diff --git a/src/tcprewrite.c b/src/tcprewrite.c +index c9aa52c..ee05a26 100644 +--- a/src/tcprewrite.c ++++ b/src/tcprewrite.c +@@ -270,6 +270,8 @@ rewrite_packets(tcpedit_t *tcpedit_ctx, pcap_t *pin, pcap_dumper_t *pout) + + if (pkthdr.caplen > MAX_SNAPLEN) + errx(-1, "Frame too big, caplen %d exceeds %d", pkthdr.caplen, MAX_SNAPLEN); ++ if (pkthdr.len > MAX_SNAPLEN) ++ errx(-1, "Frame too big, len %d exceeds %d", pkthdr.len, MAX_SNAPLEN); + /* + * copy over the packet so we can pad it out if necessary and + * because pcap_next() returns a const ptr +-- +2.40.0 diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb index a784190868..866661b4d1 100644 --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb @@ -15,6 +15,7 @@ SRC_URI = "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar. file://CVE-2023-43279.patch \ file://CVE-2024-22654-0001.patch \ file://CVE-2024-22654-0002.patch \ + file://CVE-2025-9157.patch \ " SRC_URI[sha256sum] = "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122684): https://lists.openembedded.org/g/openembedded-devel/message/122684 Mute This Topic: https://lists.openembedded.org/mt/116806382/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
