diff options
Diffstat (limited to 'meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch')
| -rw-r--r-- | meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch b/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch new file mode 100644 index 0000000000..7e5d8e2708 --- /dev/null +++ b/meta-security/recipes-ids/suricata/files/CVE-2024-37151.patch @@ -0,0 +1,53 @@ +From a6052dca1e27f3c8f96ec7be0fe7514c56a0d56f Mon Sep 17 00:00:00 2001 +From: Victor Julien <vjulien@oisf.net> +Date: Tue, 4 Jun 2024 14:43:22 +0200 +Subject: [PATCH 1/4] defrag: don't use completed tracker + +When a Tracker is set up for a IPID, frags come in for it and it's +reassembled and complete, the `DefragTracker::remove` flag is set. This +is mean to tell the hash cleanup code to recyle the tracker and to let +the lookup code skip the tracker during lookup. + +A logic error lead to the following scenario: + +1. there are sufficient frag trackers to make sure the hash table is + filled with trackers +2. frags for a Packet with IPID X are processed correctly (X1) +3. frags for a new Packet that also has IPID X come in quickly after the + first (X2). +4. during the lookup, the frag for X2 hashes to a hash row that holds + more than one tracker +5. as the trackers in hash row are evaluated, it finds the tracker for + X1, but since the `remove` bit is not checked, it is returned as the + tracker for X2. +6. reassembly fails, as the tracker is already complete + +The logic error is that only for the first tracker in a row the `remove` +bit was checked, leading to reuse to a closed tracker if there were more +trackers in the hash row. + +Ticket: #7042. + +Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b] +CVE: CVE-2024-37151 +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> +--- + src/defrag-hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/defrag-hash.c b/src/defrag-hash.c +index 2f19ce2..87d40f9 100644 +--- a/src/defrag-hash.c ++++ b/src/defrag-hash.c +@@ -591,7 +591,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p) + return dt; + } + +- if (DefragTrackerCompare(dt, p) != 0) { ++ if (!dt->remove && DefragTrackerCompare(dt, p) != 0) { + /* we found our tracker, lets put it on top of the + * hash list -- this rewards active trackers */ + if (dt->hnext) { +-- +2.44.0 + |