new file mode 100644

@@ -0,0 +1,128 @@

+From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001

+From: Guy Harris <gharris@sonic.net>

+Date: Tue, 12 Mar 2024 00:37:23 -0700

+Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer.

+

+This both saves the buffer for freeing later and saves the packet

+pointer and snapend to be restored when packet processing is complete,

+even if an exception is thrown with longjmp.

+

+This means that the hex/ASCII printing in pretty_print_packet()

+processes the packet data as captured or read from the savefile, rather

+than as modified by the PPP printer, so that the bounds checking is

+correct.

+

+That fixes CVE-2024-2397, which was caused by an exception being thrown

+by the hex/ASCII printer (which should only happen if those routines are

+called by a packet printer, not if they're called for the -X/-x/-A

+flag), which jumps back to the setjmp() that surrounds the packet

+printer.  Hilarity^Winfinite looping ensues.

+

+Also, restore ndo->ndo_packetp before calling the hex/ASCII printing

+routine, in case nd_pop_all_packet_info() didn't restore it.

+

+[kunitsh@vmware.com: ported fix to v4.99.4]

+Signed-off-by: Nitesh Kumar <nitesh-nk.kumar@broadcom.com>

+---

+ print-ppp.c | 31 +++++++++++++++++--------------

+ print.c     |  8 ++++++--

+ 2 files changed, 23 insertions(+), 16 deletions(-)

+

+diff --git a/print-ppp.c b/print-ppp.c

+index aba243d..eb13ddd 100644

+--- a/print-ppp.c

+@@ -37,6 +37,8 @@

+ 

+ #include "netdissect-stdinc.h"

+ 

++#include <stdlib.h>

++

+ #ifdef __bsdi__

+ #include <net/slcompress.h>

+ #include <net/if_ppp.h>

+@@ -1363,7 +1365,6 @@ ppp_hdlc(netdissect_options *ndo,

+ 	u_char *b, *t, c;

+ 	const u_char *s;

+ 	u_int i, proto;

+-	const void *sb, *se;

+ 

+ 	if (caplen == 0)

+ 		return;

+@@ -1371,9 +1372,11 @@ ppp_hdlc(netdissect_options *ndo,

+         if (length == 0)

+                 return;

+ 

+-	b = (u_char *)nd_malloc(ndo, caplen);

+-	if (b == NULL)

+-		return;

++        b = (u_char *)malloc(caplen);

++        if (b == NULL) {

++                (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,

++                        "%s: malloc", __func__);

++        }

+ 

+ 	/*

+ 	 * Unescape all the data into a temporary, private, buffer.

+@@ -1394,13 +1397,15 @@ ppp_hdlc(netdissect_options *ndo,

+ 	}

+ 

+ 	/*

+-	 * Change the end pointer, so bounds checks work.

+-	 * Change the pointer to packet data to help debugging.

++	 * Switch to the output buffer for dissection, and save it

++	 * on the buffer stack so it can be freed; our caller must

++	 * pop it when done.

+ 	 */

+-	sb = ndo->ndo_packetp;

+-	se = ndo->ndo_snapend;

+-	ndo->ndo_packetp = b;

+-	ndo->ndo_snapend = t;

++        if (!nd_push_buffer(ndo, b, b, (u_int)(t - b))) {

++                free(b);

++                (*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,

++                        "%s: can't push buffer on buffer stack", __func__);

++        }

+ 	length = ND_BYTES_AVAILABLE_AFTER(b);

+ 

+         /* now lets guess about the payload codepoint format */

+@@ -1442,13 +1447,11 @@ ppp_hdlc(netdissect_options *ndo,

+         }

+ 

+ cleanup:

+-	ndo->ndo_packetp = sb;

+-	ndo->ndo_snapend = se;

++	nd_pop_packet_info(ndo);

+         return;

+ 

+ trunc:

+-	ndo->ndo_packetp = sb;

+-	ndo->ndo_snapend = se;

++	nd_pop_packet_info(ndo);

+ 	nd_print_trunc(ndo);

+ }

+ 

+diff --git a/print.c b/print.c

+index 9c0ab86..33706b9 100644

+--- a/print.c

+@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h,

+ 	nd_pop_all_packet_info(ndo);

+ 

+ 	/*

+-	 * Restore the original snapend, as a printer might have

+-	 * changed it.

++	 * Restore the originals snapend and packetp, as a printer

++	 * might have changed them.

++	 *

++	 * XXX - nd_pop_all_packet_info() should have restored the

++	 * original values, but, just in case....

+ 	 */

+ 	ndo->ndo_snapend = sp + h->caplen;

++	ndo->ndo_packetp = sp;

+ 	if (ndo->ndo_Xflag) {

+ 		/*

+ 		 * Print the raw packet data in hex and ASCII.

+-- 

+2.34.1

+

@@ -1,7 +1,7 @@

 Summary:        Packet Analyzer

 Name:           tcpdump

 Version:        4.99.4

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        BSD

 URL:            http://www.tcpdump.org

 Group:          Networking

@@ -11,6 +11,8 @@ Distribution:   Photon

 Source0: http://www.tcpdump.org/release/%{name}-%{version}.tar.gz

 %define sha512 tcpdump=cb51e19574707d07c0de90dd4c301955897f2c9f2a69beb7162c08f59189f55625346d1602c8d66ab2b4c626ea4b0df1f08ed8734d2d7f536d0a7840c2d6d8df

+Patch0: CVE-2024-2397.patch

+

 BuildRequires: libpcap-devel

 Requires: libpcap

@@ -21,7 +23,7 @@ It allows the user to display TCP/IP and other packets being

 transmitted or received over a network to which the computer is attached.

 %prep

-%autosetup

+%autosetup -p1

 %build

 %configure

@@ -42,6 +44,8 @@ make %{?_smp_mflags} check

 %{_mandir}/man1/tcpdump.1.gz

 %changelog

+* Thu Mar 28 2024 Nitesh Kumar <nitesh-nk.kumar@broadcom.com> 4.99.4-2

+- Patched for CVE-2024-2397

 * Thu May 18 2023 Nitesh Kumar <kunitesh@vmware.com> 4.99.4-1

 - Upgrade to v4.99.4 to fix CVE-2023-1801

 * Tue Apr 19 2022 Gerrit Photon <photon-checkins@vmware.com> 4.99.1-1