Overview

File validate-the-messagelength-field-of-incoming-message.patch of Package linuxptp.20297

From: Richard Cochran <richardcochran@gmail.com>
Subject: Validate the messageLength field of incoming messages.
Git-commit: 7795df89dd4f94e0f55959dc61a85535d0f01cae
Patch-mainline: v1.8.1~1
References: bsc#1187646, CVE-2021-3570
Acked-by: Jiri Bohac <jbohac@suse.cz>

The PTP messageLength field is redundant because the length of a PTP
message is precisely determined by the message type and the appended
TLVs.  The current implementation validates the sizes of both the main
message (according to the fixed header length and fixed length by
type) and the TLVs (by using the 'L' of the TLV).

However, when forwarding a message, the messageLength field is used.
If a message arrives with a messageLength field larger than the actual
message size, the code will read and possibly write data beyond the
allocated buffer.

Fix the issue by validating the field on ingress.  This prevents
reading and sending data past the message buffer when forwarding a
management message or other messages when operating as a transparent
clock, and it also prevents a memory corruption in msg_post_recv()
after forwarding a management message.

Reported-by: Miroslav Lichvar <mlichvar@redhat.com>
Signed-off-by: Richard Cochran <richardcochran@gmail.com>

diff --git a/msg.c b/msg.c
index 4b3d926..2b4b72f 100644
--- a/msg.c
+++ b/msg.c
@@ -118,11 +118,13 @@ static void port_id_pre_send(struct PortIdentity *pid)
 	pid->portNumber = htons(pid->portNumber);
 }
 
-static int suffix_post_recv(uint8_t *ptr, int len, struct tlv_extra *last)
+static int suffix_post_recv(uint8_t *ptr, int len, struct tlv_extra *last, int *suffix_len)
 {
 	int cnt, err;
 	struct TLV *tlv;
 
+	*suffix_len = 0;
+
 	if (!ptr)
 		return 0;
 
@@ -133,11 +135,13 @@ static int suffix_post_recv(uint8_t *ptr, int len, struct tlv_extra *last)
 		if (tlv->length % 2) {
 			return -EBADMSG;
 		}
+		*suffix_len += sizeof(struct TLV);
 		len -= sizeof(struct TLV);
 		ptr += sizeof(struct TLV);
 		if (tlv->length > len) {
 			return -EBADMSG;
 		}
+		*suffix_len += tlv->length;
 		len -= tlv->length;
 		ptr += tlv->length;
 		err = tlv_post_recv(tlv, len > sizeof(struct TLV) ? NULL : last);
@@ -225,7 +229,7 @@ void msg_get(struct ptp_message *m)
 
 int msg_post_recv(struct ptp_message *m, int cnt)
 {
-	int pdulen, type, err;
+	int err, pdulen, type, suffix_len;
 	uint8_t *suffix = NULL;
 
 	if (cnt < sizeof(struct ptp_header))
@@ -318,9 +322,12 @@ int msg_post_recv(struct ptp_message *m, int cnt)
 	if (msg_sots_missing(m))
 		return -ETIME;
 
-	m->tlv_count = suffix_post_recv(suffix, cnt - pdulen, &m->last_tlv);
+	m->tlv_count = suffix_post_recv(suffix, cnt - pdulen, &m->last_tlv, &suffix_len);
 	if (m->tlv_count < 0)
 		return m->tlv_count;
+	if (pdulen + suffix_len != m->header.messageLength) {
+		return -EBADMSG;
+	}
 
 	return 0;
 }
openSUSE Build Service is sponsored by
Places