Re: [oe][meta-networking][scarthgap][PATCH 1/2] tcpreplay: fix CVE-2025-51006

Mon, 19 Jan 2026 23:35:45 -0800 

Hi Liyin,

On Thu, Jan 15, 2026 at 2:01 PM Zhang, Liyin (CN) via
lists.openembedded.org
<[email protected]> wrote:
>
> Hi,
>
> It appears that this patch was missed on scarthgap.
>
> The original author had already sent an earlier version of this patch
> before this one. It may have been due to missing branch information. Two
> minutes later, they replied “Kindly ignore this patch” to both of the
> original patches (CVE-2025-51006 and CVE-2025-9157), and then resent
> this revised version.
>
> What is odd is that the patch for CVE-2025-9157 was correctly merged
> into scarthgap, while CVE-2025-51006 appears to have been missed.
>
> Could anyone please help confirm this issue and merge the patch for
> CVE-2025-51006?

This was missed. I will include it in test queue. Thank you.

Thanks,

Anuj

>
> Thanks,
>
> Liyin
>
> On 9/25/2025 5:19 PM, Polampalli, Archana via lists.openembedded.org wrote:
> > From: Archana Polampalli <[email protected]>
> >
> > Within tcpreplay's tcprewrite, a double free vulnerability has been 
> > identified
> > in the dlt_linuxsll2_cleanup() function in 
> > plugins/dlt_linuxsll2/linuxsll2.c.
> > This vulnerability is triggered when tcpedit_dlt_cleanup() indirectly 
> > invokes
> > the cleanup routine multiple times on the same memory region. By supplying a
> > specifically crafted pcap file to the tcprewrite binary, a local attacker 
> > can
> > exploit this flaw to cause a Denial of Service (DoS) via memory corruption.
> >
> > Signed-off-by: Archana Polampalli <[email protected]>
> > ---
> >   .../tcpreplay/tcpreplay/CVE-2025-51006.patch  | 97 +++++++++++++++++++
> >   .../tcpreplay/tcpreplay_4.4.4.bb              |  1 +
> >   2 files changed, 98 insertions(+)
> >   create mode 100644 
> > meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
> >
> > diff --git 
> > a/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch 
> > b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
> > new file mode 100644
> > index 0000000000..a55ac8c314
> > --- /dev/null
> > +++ 
> > b/meta-networking/recipes-support/tcpreplay/tcpreplay/CVE-2025-51006.patch
> > @@ -0,0 +1,97 @@
> > +From 868db118535a646a8a48c957f1e6367069be1aa7 Mon Sep 17 00:00:00 2001
> > +From: Fred Klassen <[email protected]>
> > +Date: Wed, 9 Jul 2025 21:01:12 -0700
> > +Subject: [PATCH] Bug #902 juniper: added safeguards Protect against 
> > invalid or
> > + unsupported Juniper packets.
> > +
> > +Notes:
> > +
> > +- only Ethernet packets are currently supported
> > +- was unable to recreate the original bug, but areas where hardening was 
> > required
> > +
> > +CVE: CVE-2025-51006
> > +
> > +Upstream-Status: Backport 
> > [https://github.com/appneta/tcpreplay/commit/868db118535a646a8a48c957f1e6367069be1aa7]
> > +
> > +Signed-off-by: Archana Polampalli <[email protected]>
> > +---
> > + .../plugins/dlt_jnpr_ether/jnpr_ether.c       | 33 +++++++++++++++++--
> > + .../plugins/dlt_jnpr_ether/jnpr_ether.h       |  2 ++
> > + 2 files changed, 33 insertions(+), 2 deletions(-)
> > +
> > +diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c 
> > b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
> > +index 9642a2c..671d5c0 100644
> > +--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
> > ++++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.c
> > +@@ -202,8 +202,12 @@ dlt_jnpr_ether_parse_opts(tcpeditdlt_t *ctx)
> > + int
> > + dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char *packet, int pktlen)
> > + {
> > ++    int extensions_len = 0;
> > +     int jnpr_header_len = 0;
> > +     const u_char *ethernet = NULL;
> > ++    const u_char *extension;
> > ++    u_char dlt = 0;
> > ++    u_char encapsulation = 0;
> > +     jnpr_ether_config_t *config;
> > +
> > +     assert(ctx);
> > +@@ -228,9 +232,10 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char 
> > *packet, int pktlen)
> > +     }
> > +
> > +     /* then get the Juniper header length */
> > +-    memcpy(&jnpr_header_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
> > ++    memcpy(&extensions_len, &packet[JUNIPER_ETHER_EXTLEN_OFFSET], 2);
> > +
> > +-    jnpr_header_len = ntohs(jnpr_header_len) + JUNIPER_ETHER_HEADER_LEN;
> > ++    extensions_len = ntohs(extensions_len);
> > ++    jnpr_header_len = extensions_len + JUNIPER_ETHER_HEADER_LEN;
> > +
> > +     dbgx(1, "jnpr header len: %d", jnpr_header_len);
> > +     /* make sure the packet is big enough to find the Ethernet Header */
> > +@@ -245,6 +250,30 @@ dlt_jnpr_ether_decode(tcpeditdlt_t *ctx, const u_char 
> > *packet, int pktlen)
> > +     /* jump to the appropriate offset */
> > +     ethernet = packet + jnpr_header_len;
> > +
> > ++    /* parse the extension header to ensure this is Ethernet - the only 
> > DLT we currently support */
> > ++    extension = packet + JUNIPER_ETHER_HEADER_LEN;
> > ++    while (extension  < ethernet - 2) {
> > ++        u_char ext_len = extension[1];
> > ++        if (extension[0] == JUNIPER_ETHER_EXT_MEDIA_TYPE)
> > ++            dlt = extension[2];
> > ++        else if (extension[0] == JUNIPER_ETHER_EXT_ENCAPSULATION)
> > ++            encapsulation = extension[2];
> > ++        if (dlt != 0 && encapsulation != 0)
> > ++            break;
> > ++        extension += ext_len + 2;
> > ++    }
> > ++
> > ++    if (extension > ethernet) {
> > ++        tcpedit_seterr(ctx->tcpedit, "Extension to long! %d", extension - 
> > ethernet);
> > ++        return TCPEDIT_ERROR;
> > ++    }
> > ++
> > ++    if (dlt != DLT_EN10MB || encapsulation != 14) {
> > ++        tcpedit_setwarn(ctx->tcpedit, "packet DLT %d and extension type 
> > %d not supported",
> > ++            dlt, extension);
> > ++        return TCPEDIT_WARN;
> > ++    }
> > ++
> > +     /* let the en10mb plugin decode the rest */
> > +     if (tcpedit_dlt_decode(config->subctx, ethernet, (pktlen - 
> > jnpr_header_len)) == TCPEDIT_ERROR)
> > +         return TCPEDIT_ERROR;
> > +diff --git a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h 
> > b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
> > +index 4875350..90c12b4 100644
> > +--- a/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
> > ++++ b/src/tcpedit/plugins/dlt_jnpr_ether/jnpr_ether.h
> > +@@ -33,6 +33,8 @@ extern "C" {
> > + #define JUNIPER_ETHER_L2PRESENT 0x80
> > + #define JUNIPER_ETHER_DIRECTION 0x01
> > + #define JUNIPER_ETHER_EXTLEN_OFFSET 4
> > ++#define JUNIPER_ETHER_EXT_MEDIA_TYPE 3
> > ++#define JUNIPER_ETHER_EXT_ENCAPSULATION 6
> > +
> > + int dlt_jnpr_ether_register(tcpeditdlt_t *ctx);
> > + int dlt_jnpr_ether_init(tcpeditdlt_t *ctx);
> > +--
> > +2.40.0
> > diff --git a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb 
> > b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
> > index a784190868..04f3ee1c2d 100644
> > --- a/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
> > +++ b/meta-networking/recipes-support/tcpreplay/tcpreplay_4.4.4.bb
> > @@ -15,6 +15,7 @@ SRC_URI = 
> > "https://github.com/appneta/${BPN}/releases/download/v${PV}/${BP}.tar.
> >       file://CVE-2023-43279.patch \
> >       file://CVE-2024-22654-0001.patch \
> >       file://CVE-2024-22654-0002.patch \
> > +    file://CVE-2025-51006.patch \
> >   "
> >
> >   SRC_URI[sha256sum] = 
> > "44f18fb6d3470ecaf77a51b901a119dae16da5be4d4140ffbb2785e37ad6d4bf"
> >
> >
> >
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#123661): 
https://lists.openembedded.org/g/openembedded-devel/message/123661
Mute This Topic: https://lists.openembedded.org/mt/115427305/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to