diff options
author | jmbills <jason.m.bills@intel.com> | 2021-10-04 22:42:48 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-04 22:42:48 +0300 |
commit | 0c9e31989c615598b5d042ffab385606660c93c0 (patch) | |
tree | 8019999b0ca042482e5193d6cabc06220c71d776 /meta-openembedded/meta-networking/recipes-support/ntopng | |
parent | 04cd92067d2481643df5010cb39b2134b648cf4d (diff) | |
parent | ffe6d597d9e3d4407cf8062b5d6505a80ce08f41 (diff) | |
download | openbmc-0c9e31989c615598b5d042ffab385606660c93c0.tar.xz |
Update
Diffstat (limited to 'meta-openembedded/meta-networking/recipes-support/ntopng')
3 files changed, 128 insertions, 11 deletions
diff --git a/meta-openembedded/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch b/meta-openembedded/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch new file mode 100644 index 000000000..8fdd62d18 --- /dev/null +++ b/meta-openembedded/meta-networking/recipes-support/ntopng/files/CVE-2021-36082.patch @@ -0,0 +1,116 @@ +From 1ec621c85b9411cc611652fd57a892cfef478af3 Mon Sep 17 00:00:00 2001 +From: Luca Deri <deri@ntop.org> +Date: Sat, 15 May 2021 19:53:46 +0200 +Subject: [PATCH] Added further checks + +Upstream-Status: Backport [https://github.com/ntop/nDPI/commit/1ec621c85b9411cc611652fd57a892cfef478af3] +CVE: CVE-2021-36082 + +Signed-off-by: Changqing Li <changqing.li@windriver.com> + +--- + src/lib/protocols/netbios.c | 2 +- + src/lib/protocols/tls.c | 32 +++++++++++++++++--------------- + 2 files changed, 18 insertions(+), 16 deletions(-) + +diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c +index 1f3850cb..0d3b705f 100644 +--- a/src/lib/protocols/netbios.c ++++ b/src/lib/protocols/netbios.c +@@ -42,7 +42,7 @@ int ndpi_netbios_name_interpret(char *in, size_t inlen, char *out, u_int out_len + int ret = 0, len, idx = inlen; + char *b; + +- len = (*in++)/2; ++ len = (*in++)/2, inlen--; + b = out; + *out = 0; + +diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c +index 5b572cae..c115ac08 100644 +--- a/src/lib/protocols/tls.c ++++ b/src/lib/protocols/tls.c +@@ -994,21 +994,23 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + i += 4 + extension_len, offset += 4 + extension_len; + } + +- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); ++ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); + +- for(i=0; i<ja3.num_cipher; i++) { +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); ++ for(i=0; (i<ja3.num_cipher) && (JA3_STR_LEN > ja3_str_len); i++) { ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.cipher[i]); + + if(rc <= 0) break; else ja3_str_len += rc; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); +- if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; ++ if(JA3_STR_LEN > ja3_str_len) { ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); ++ if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; ++ } + + /* ********** */ + +- for(i=0; i<ja3.num_tls_extension; i++) { +- int rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); ++ for(i=0; (i<ja3.num_tls_extension) && (JA3_STR_LEN-ja3_str_len); i++) { ++ int rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", (i > 0) ? "-" : "", ja3.tls_extension[i]); + + if(rc <= 0) break; else ja3_str_len += rc; + } +@@ -1443,41 +1445,41 @@ int processClientServerHello(struct ndpi_detection_module_struct *ndpi_struct, + int rc; + + compute_ja3c: +- ja3_str_len = snprintf(ja3_str, sizeof(ja3_str), "%u,", ja3.tls_handshake_version); ++ ja3_str_len = snprintf(ja3_str, JA3_STR_LEN, "%u,", ja3.tls_handshake_version); + + for(i=0; i<ja3.num_cipher; i++) { +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.cipher[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i<ja3.num_tls_extension; i++) { +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.tls_extension[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + + /* ********** */ + + for(i=0; i<ja3.num_elliptic_curve; i++) { +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } + +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, ","); ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, ","); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; + + for(i=0; i<ja3.num_elliptic_curve_point_format; i++) { +- rc = snprintf(&ja3_str[ja3_str_len], sizeof(ja3_str)-ja3_str_len, "%s%u", ++ rc = snprintf(&ja3_str[ja3_str_len], JA3_STR_LEN-ja3_str_len, "%s%u", + (i > 0) ? "-" : "", ja3.elliptic_curve_point_format[i]); + if(rc > 0 && ja3_str_len + rc < JA3_STR_LEN) ja3_str_len += rc; else break; + } +-- +2.17.1 + diff --git a/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb b/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb index 22e4d8e9a..89450f562 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb +++ b/meta-openembedded/meta-networking/recipes-support/ntopng/ndpi_3.4.bb @@ -4,13 +4,14 @@ inspection. Based on OpenDPI it includes ntop extensions" SECTION = "libdevel" DEPENDS = "libpcap" -RDEPENDS_${PN} += " libpcap" +RDEPENDS:${PN} += " libpcap" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=b52f2d57d10c4f7ee67a7eb9615d5d24" SRCREV = "64929a75e0a7a60d864bd25a9fd97fdf9ac892a2" SRC_URI = "git://github.com/ntop/nDPI.git;branch=3.4-stable \ file://0001-autogen.sh-not-generate-configure.patch \ + file://CVE-2021-36082.patch \ " S = "${WORKDIR}/git" @@ -19,7 +20,7 @@ inherit autotools-brokensep pkgconfig CPPFLAGS += "${SELECTED_OPTIMIZATION}" -do_configure_prepend() { +do_configure:prepend() { ${S}/autogen.sh } diff --git a/meta-openembedded/meta-networking/recipes-support/ntopng/ntopng_4.2.bb b/meta-openembedded/meta-networking/recipes-support/ntopng/ntopng_4.2.bb index 596186651..cc2320788 100644 --- a/meta-openembedded/meta-networking/recipes-support/ntopng/ntopng_4.2.bb +++ b/meta-openembedded/meta-networking/recipes-support/ntopng/ntopng_4.2.bb @@ -7,7 +7,7 @@ usability, and features." SECTION = "console/network" DEPENDS = "curl libmaxminddb libpcap lua mariadb ndpi json-c rrdtool zeromq" -RDEPENDS_${PN} = "bash redis" +RDEPENDS:${PN} = "bash redis" LICENSE = "GPLv3" LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" @@ -26,24 +26,24 @@ S = "${WORKDIR}/git" # don't use the lua under thirdparty as it supports cross compiling badly export LUA_LIB = "${STAGING_LIBDIR}/liblua.a" -LDFLAGS_append_mipsarch = " -latomic" -LDFLAGS_append_powerpc = " -latomic" -LDFLAGS_append_riscv32 = " -latomic" +LDFLAGS:append:mipsarch = " -latomic" +LDFLAGS:append:powerpc = " -latomic" +LDFLAGS:append:riscv32 = " -latomic" inherit autotools-brokensep gettext systemd -do_install_append() { +do_install:append() { install -d ${D}${systemd_unitdir}/system/ install -m 0644 ${WORKDIR}/ntopng.service ${D}${systemd_unitdir}/system } -FILES_${PN} += "\ +FILES:${PN} += "\ ${systemd_unitdir}/system/ntopng.service" -FILES_${PN}-doc += "\ +FILES:${PN}-doc += "\ /usr/man/man8/ntopng.8" -do_configure_prepend() { +do_configure:prepend() { ${S}/autogen.sh } -SYSTEMD_SERVICE_${PN} = "ntopng.service" +SYSTEMD_SERVICE:${PN} = "ntopng.service" |