diff -pruN 4.4.1-2/debian/changelog 4.4.1-2ubuntu1/debian/changelog --- 4.4.1-2/debian/changelog 2022-04-25 17:58:02.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/changelog 2022-09-27 03:55:27.000000000 +0000 @@ -1,3 +1,35 @@ +tcpreplay (4.4.1-2ubuntu1) kinetic; urgency=medium + + * SECURITY UPDATE: heap-overflow in get_l2len_protocol + - debian/patches/CVE-2022-25484_27941.patch: fix heap overflow in + get_l2len_protocol + - CVE-2022-25484 + - CVE-2022-27941 + * SECURITY UPDATE: reachable assertion in get_layer4_v6 + - debian/patches/CVE-2022-27939.patch: fix null pointer dereference in + get_layer4_v6 + - CVE-2022-27939 + * SECURITY UPDATE: heap-overflow in get_ipv6_next + - debian/patches/CVE-2022-27940_37047_37049.patch: Add end_ptr to key + functions, which make it easier to implement overflow protections + - CVE-2022-27940 + - CVE-2022-37047 + - CVE-2022-37049 + * SECURITY UPDATE: heap-overflow in parse_mpls + - debian/patches/CVE-2022-27942.patch: Add better overflow protection in + parse_mpls + - CVE-2022-27942 + * SECURITY UPDATE: format string vulnerability in fix_ipv6_checksums + - debian/patches/CVE-2022-28487.patch: fix format string in + src/tcpedit/edit_packet.c file + - CVE-2022-28487 + * SECURITY UPDATE: heap-overflow in get_l2len_protocol + - debian/patches/CVE-2022-37048.patch: fix heap-overflow by checking data + length correctly + - CVE-2022-37048 + + -- Nishit Majithia Tue, 27 Sep 2022 09:25:27 +0530 + tcpreplay (4.4.1-2) unstable; urgency=medium * Also disable for: alpha, ia64, mipsel, mips64el diff -pruN 4.4.1-2/debian/control 4.4.1-2ubuntu1/debian/control --- 4.4.1-2/debian/control 2022-04-25 09:03:30.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/control 2022-09-27 03:55:27.000000000 +0000 @@ -1,5 +1,6 @@ Source: tcpreplay -Maintainer: Christoph Biedl +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Christoph Biedl Homepage: http://tcpreplay.appneta.com/ Standards-Version: 4.6.0 Vcs-Browser: https://git.in-ulm.de/cbiedl/tcpreplay diff -pruN 4.4.1-2/debian/patches/CVE-2022-25484_27941.patch 4.4.1-2ubuntu1/debian/patches/CVE-2022-25484_27941.patch --- 4.4.1-2/debian/patches/CVE-2022-25484_27941.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/CVE-2022-25484_27941.patch 2022-09-27 03:55:27.000000000 +0000 @@ -0,0 +1,51 @@ +From a135cea13507b5d2f810d762390ba37d6b93aa3e Mon Sep 17 00:00:00 2001 +From: Fred Klassen +Date: Mon, 1 Aug 2022 12:20:41 -0700 +Subject: [PATCH] But #716 heap-buffer-overflow in get_l2len_protocol() + +--- + configure.ac | 2 +- + docs/CHANGELOG | 3 +++ + src/common/get.c | 6 ++++-- + 3 files changed, 8 insertions(+), 3 deletions(-) + +--- tcpreplay-4.4.1.orig/configure.ac ++++ tcpreplay-4.4.1/configure.ac +@@ -4,7 +4,7 @@ dnl $Id$ + AC_PREREQ([2.69]) + + dnl Set version info here! +-AC_INIT([tcpreplay],[4.4.1],[https://github.com/appneta/tcpreplay/issues],[tcpreplay],[http://tcpreplay.sourceforge.net/]) ++AC_INIT([tcpreplay],[4.4.2-beta1],[https://github.com/appneta/tcpreplay/issues],[tcpreplay],[http://tcpreplay.sourceforge.net/]) + AC_CONFIG_SRCDIR([src/tcpreplay.c]) + AC_CONFIG_HEADERS([src/config.h]) + AC_CONFIG_AUX_DIR(config) +--- tcpreplay-4.4.1.orig/docs/CHANGELOG ++++ tcpreplay-4.4.1/docs/CHANGELOG +@@ -1,3 +1,6 @@ ++08/01/2022 Version 4.4.2 Beta 1 ++ - heap buffer overflow in get_l2len_protocol() ++ + 02/12/2022 Version 4.4.1 + - fix support for piping PCAP files from STDIN (#708) + - build failures Debian/kfreebsd (#706) +--- tcpreplay-4.4.1.orig/src/common/get.c ++++ tcpreplay-4.4.1/src/common/get.c +@@ -317,13 +317,15 @@ int get_l2len_protocol(const u_char *pkt + /* fall through */ + case DLT_EN10MB: + { +- eth_hdr_t *eth_hdr = (eth_hdr_t*)(pktdata + *l2offset); ++ eth_hdr_t *eth_hdr; ++ uint16_t ether_type; + uint32_t l2_net_off = sizeof(*eth_hdr) + *l2offset; +- uint16_t ether_type = ntohs(eth_hdr->ether_type); + + if (datalen <= l2_net_off) + return -1; + ++ eth_hdr = (eth_hdr_t*)(pktdata + *l2offset); ++ ether_type = ntohs(eth_hdr->ether_type); + if (parse_metadata(pktdata, + datalen, + ðer_type, diff -pruN 4.4.1-2/debian/patches/CVE-2022-27939.patch 4.4.1-2ubuntu1/debian/patches/CVE-2022-27939.patch --- 4.4.1-2/debian/patches/CVE-2022-27939.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/CVE-2022-27939.patch 2022-09-27 03:55:27.000000000 +0000 @@ -0,0 +1,22 @@ +From bac620dfbd5b7b3b3602eae29e05afa00765ce19 Mon Sep 17 00:00:00 2001 +From: Fred Klassen +Date: Tue, 2 Aug 2022 13:51:27 -0700 +Subject: [PATCH] Bug #717 avoid assertion in get_layer4_v6 + +--- + docs/CHANGELOG | 3 ++- + src/common/get.c | 3 +++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- tcpreplay-4.4.1.orig/src/common/get.c ++++ tcpreplay-4.4.1/src/common/get.c +@@ -616,6 +616,9 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, + case TCPR_IPV6_NH_IPV6: + dbg(3, "recursing due to v6-in-v6"); + next = get_layer4_v6((ipv6_hdr_t *)next, l3len - min_len); ++ if (next == NULL) ++ done = true; ++ + break; + + /* loop again */ diff -pruN 4.4.1-2/debian/patches/CVE-2022-27940_37047_37049.patch 4.4.1-2ubuntu1/debian/patches/CVE-2022-27940_37047_37049.patch --- 4.4.1-2/debian/patches/CVE-2022-27940_37047_37049.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/CVE-2022-27940_37047_37049.patch 2022-09-27 03:55:27.000000000 +0000 @@ -0,0 +1,479 @@ +From 49420cb5297852bbe4e3efe846d2d42e134f858d Mon Sep 17 00:00:00 2001 +From: Fred Klassen +Date: Thu, 4 Aug 2022 12:27:36 -0700 +Subject: [PATCH] Bug #718 improved heap-overflow protection + +Add end_ptr to key functions, which make it easier to implement +overflow protections. +--- + docs/CHANGELOG | 1 + + src/common/get.c | 80 +++++++++++++++++----------------- + src/common/get.h | 7 ++- + src/tcpedit/checksum.c | 11 +++-- + src/tcpedit/checksum.h | 2 +- + src/tcpedit/edit_packet.c | 39 +++++++++-------- + src/tcpedit/fuzzing.c | 6 ++- + src/tcpedit/portmap.c | 4 +- + src/tcpedit/rewrite_sequence.c | 6 ++- + src/tcpedit/tcpedit.c | 4 +- + src/tcpprep.c | 6 +-- + 11 files changed, 89 insertions(+), 77 deletions(-) + +--- tcpreplay-4.4.1.orig/src/common/get.c ++++ tcpreplay-4.4.1/src/common/get.c +@@ -42,6 +42,10 @@ extern const char pcap_version[]; + #define JUNIPER_FLAG_NO_L2 0x02 /* L2 header */ + #define JUNIPER_FLAG_EXT 0x80 /* Juniper extensions present */ + #define JUNIPER_PCAP_MAGIC "MGC" ++ ++static void * ++get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr); ++ + /** + * Depending on what version of libpcap/WinPcap there are different ways to get + * the version of the libpcap/WinPcap library. This presents a unified way to +@@ -570,15 +574,16 @@ get_ipv6(const u_char *pktdata, int data + * If the packet is to short, returns NULL + */ + void * +-get_layer4_v4(const ipv4_hdr_t *ip_hdr, const int l3len) ++get_layer4_v4(const ipv4_hdr_t *ip_hdr, const u_char *end_ptr) + { + void *ptr; + + assert(ip_hdr); ++ assert(end_ptr); + + ptr = (u_char *)ip_hdr + (ip_hdr->ip_hl << 2); + /* make sure we don't jump over the end of the buffer */ +- if ((u_char *)ptr > ((u_char *)ip_hdr + l3len)) ++ if ((u_char *)ptr > end_ptr) + return NULL; + + return ((void *)ptr); +@@ -590,24 +595,21 @@ get_layer4_v4(const ipv4_hdr_t *ip_hdr, + * v6 Frag or ESP header. Function is recursive. + */ + void * +-get_layer4_v6(const ipv6_hdr_t *ip6_hdr, const int l3len) ++get_layer4_v6(const ipv6_hdr_t *ip6_hdr, const u_char *end_ptr) + { + struct tcpr_ipv6_ext_hdr_base *next, *exthdr; + bool done = false; +- uint32_t maxlen; + uint8_t proto; +- int min_len; + + assert(ip6_hdr); +- +- min_len = TCPR_IPV6_H + sizeof(struct tcpr_ipv6_ext_hdr_base); +- if (l3len < min_len) +- return NULL; ++ assert(end_ptr); + + /* jump to the end of the IPv6 header */ + next = (struct tcpr_ipv6_ext_hdr_base *)((u_char *)ip6_hdr + TCPR_IPV6_H); +- proto = ip6_hdr->ip_nh; ++ if ((u_char*)next > end_ptr) ++ return NULL; + ++ proto = ip6_hdr->ip_nh; + while (!done) { + dbgx(3, "Processing proto: 0x%hx", (uint16_t)proto); + +@@ -615,10 +617,7 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, + /* recurse due to v6-in-v6, need to recast next as an IPv6 Header */ + case TCPR_IPV6_NH_IPV6: + dbg(3, "recursing due to v6-in-v6"); +- next = get_layer4_v6((ipv6_hdr_t *)next, l3len - min_len); +- if (next == NULL) +- done = true; +- ++ next = get_layer4_v6((ipv6_hdr_t *)next, end_ptr); + break; + + /* loop again */ +@@ -627,9 +626,9 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, + case TCPR_IPV6_NH_DESTOPTS: + case TCPR_IPV6_NH_HBH: + dbgx(3, "Going deeper due to extension header 0x%02X", proto); +- maxlen = l3len - (int)((u_char *)ip6_hdr - (u_char *)next); +- exthdr = get_ipv6_next(next, maxlen); ++ exthdr = get_ipv6_next(next, end_ptr); + if (exthdr == NULL) { ++ next = NULL; + done = true; + break; + } +@@ -660,10 +659,10 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, + + done = true; + } /* switch */ +- } /* while */ + +- if (!next || (u_char*)next > (u_char*)ip6_hdr + l3len) +- return NULL; ++ if (next == NULL) ++ done = true; ++ } /* while */ + + return next; + } +@@ -673,15 +672,15 @@ get_layer4_v6(const ipv6_hdr_t *ip6_hdr, + * returns the next payload or header of the current extension header + * returns NULL for none/ESP. + */ +-void * +-get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const int len) ++static void * ++get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const u_char *end_ptr) + { +- int extlen = 0; +- int maxlen; +- void *ptr; ++ uint8_t extlen = 0; ++ u_char *ptr; + assert(exthdr); + +- maxlen = *((int*)((u_char *)exthdr + len)); ++ if ((u_char*)exthdr + sizeof(*exthdr) > end_ptr) ++ return NULL; + + dbgx(3, "Jumping to next IPv6 header. Processing 0x%02x", exthdr->ip_nh); + switch (exthdr->ip_nh) { +@@ -700,9 +699,9 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_b + case TCPR_IPV6_NH_FRAGMENT: + dbg(3, "Looks like were a fragment header. Returning some frag'd data."); + ptr = (void *)((u_char *)exthdr + sizeof(struct tcpr_ipv6_frag_hdr)); +- if (*(int*)ptr > maxlen) ++ if (ptr > end_ptr) + return NULL; +- return ptr; ++ return (void *)ptr; + break; + + /* all the rest require us to go deeper using the ip_len field */ +@@ -713,11 +712,11 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_b + case TCPR_IPV6_NH_AH: + extlen = IPV6_EXTLEN_TO_BYTES(exthdr->ip_len); + dbgx(3, "Looks like we're an ext header (0x%hhx). Jumping %u bytes" +- " to the next", exthdr->ip_nh, extlen); +- ptr = (void *)((u_char *)exthdr + extlen); +- if (*(int*)ptr > maxlen) ++ " to the next", exthdr->ip_nh, extlen); ++ ptr = (u_char *)exthdr + extlen; ++ if (ptr > end_ptr) + return NULL; +- return ptr; ++ return (void *)ptr; + break; + + default: +@@ -732,7 +731,7 @@ get_ipv6_next(struct tcpr_ipv6_ext_hdr_b + * the extension headers + */ + uint8_t +-get_ipv6_l4proto(const ipv6_hdr_t *ip6_hdr, const int l3len) ++get_ipv6_l4proto(const ipv6_hdr_t *ip6_hdr, const u_char *end_ptr) + { + u_char *ptr = (u_char *)ip6_hdr + TCPR_IPV6_H; /* jump to the end of the IPv6 header */ + uint8_t proto; +@@ -740,15 +739,15 @@ get_ipv6_l4proto(const ipv6_hdr_t *ip6_h + + assert(ip6_hdr); + +- proto = ip6_hdr->ip_nh; +- int l4len = l3len - TCPR_IPV6_H; +- if (l4len < 0) +- return proto; ++ if (ptr > end_ptr) ++ return TCPR_IPV6_NH_NO_NEXT; + ++ proto = ip6_hdr->ip_nh; + while (TRUE) { + dbgx(3, "Processing next proto 0x%02X", proto); + switch (proto) { + /* no further processing for IPV6 types with nothing beyond them */ ++ case TCPR_IPV6_NH_NO_NEXT: + case TCPR_IPV6_NH_FRAGMENT: + case TCPR_IPV6_NH_ESP: + dbg(3, "No-Next or ESP... can't go any further..."); +@@ -758,7 +757,7 @@ get_ipv6_l4proto(const ipv6_hdr_t *ip6_h + /* recurse */ + case TCPR_IPV6_NH_IPV6: + dbg(3, "Recursing due to v6 in v6"); +- return get_ipv6_l4proto((ipv6_hdr_t *)ptr, l4len); ++ return get_ipv6_l4proto((ipv6_hdr_t *)ptr, end_ptr); + break; + + /* loop again */ +@@ -768,11 +767,10 @@ get_ipv6_l4proto(const ipv6_hdr_t *ip6_h + case TCPR_IPV6_NH_HBH: + dbgx(3, "Jumping to next extension header (0x%hhx)", proto); + exthdr = get_ipv6_next((struct tcpr_ipv6_ext_hdr_base *)ptr, +- l4len); +- if (exthdr == NULL) +- return proto; ++ end_ptr); ++ if (exthdr == NULL || (u_char*)exthdr + sizeof(*exthdr) > end_ptr) ++ return TCPR_IPV6_NH_NO_NEXT; + proto = exthdr->ip_nh; +- l4len -= (u_char *)exthdr - ptr; + ptr = (u_char *)exthdr; + break; + +--- tcpreplay-4.4.1.orig/src/common/get.h ++++ tcpreplay-4.4.1/src/common/get.h +@@ -47,11 +47,10 @@ int get_l2len_protocol(const u_char *pkt + uint32_t *l2offset, + uint32_t *vlan_offset); + +-void *get_layer4_v4(const ipv4_hdr_t *ip_hdr, const int l3len); +-void *get_layer4_v6(const ipv6_hdr_t *ip_hdr, const int l3len); ++void *get_layer4_v4(const ipv4_hdr_t *ip_hdr, const u_char *end_ptr); ++void *get_layer4_v6(const ipv6_hdr_t *ip_hdr, const u_char *end_ptr); + +-u_int8_t get_ipv6_l4proto(const ipv6_hdr_t *ip6_hdr, const int l3len); +-void *get_ipv6_next(struct tcpr_ipv6_ext_hdr_base *exthdr, const int l3len); ++u_int8_t get_ipv6_l4proto(const ipv6_hdr_t *ip6_hdr, const u_char *end_ptr); + + const u_char *get_ipv4(const u_char *pktdata, int datalen, int datalink, u_char **newbuff); + const u_char *get_ipv6(const u_char *pktdata, int datalen, int datalink, u_char **newbuff); +--- tcpreplay-4.4.1.orig/src/tcpedit/checksum.c ++++ tcpreplay-4.4.1/src/tcpedit/checksum.c +@@ -34,7 +34,12 @@ static int do_checksum_math(uint16_t *, + * Returns -1 on error and 0 on success, 1 on warn + */ + int +-do_checksum(tcpedit_t *tcpedit, uint8_t *data, int proto, int len) { ++do_checksum(tcpedit_t *tcpedit, ++ uint8_t *data, ++ int proto, ++ int len, ++ const u_char *end_ptr) ++{ + ipv4_hdr_t *ipv4; + ipv6_hdr_t *ipv6; + tcp_hdr_t *tcp; +@@ -60,10 +65,10 @@ do_checksum(tcpedit_t *tcpedit, uint8_t + ipv6 = (ipv6_hdr_t *)data; + ipv4 = NULL; + +- proto = get_ipv6_l4proto(ipv6, len + sizeof(ipv6_hdr_t)); ++ proto = get_ipv6_l4proto(ipv6, end_ptr); + dbgx(3, "layer4 proto is 0x%hx", (uint16_t)proto); + +- layer = (u_char*)get_layer4_v6(ipv6, len + sizeof(ipv6_hdr_t)); ++ layer = (u_char*)get_layer4_v6(ipv6, end_ptr); + if (!layer) { + tcpedit_setwarn(tcpedit, "%s", "Packet to short for checksum"); + return TCPEDIT_WARN; +--- tcpreplay-4.4.1.orig/src/tcpedit/checksum.h ++++ tcpreplay-4.4.1/src/tcpedit/checksum.h +@@ -24,6 +24,6 @@ + #define CHECKSUM_CARRY(x) \ + (x = (x >> 16) + (x & 0xffff), (~(x + (x >> 16)) & 0xffff)) + +-int do_checksum(tcpedit_t *, u_int8_t *, int, int); ++int do_checksum(tcpedit_t *, u_int8_t *, int, int, const u_char*); + + #endif +--- tcpreplay-4.4.1.orig/src/tcpedit/edit_packet.c ++++ tcpreplay-4.4.1/src/tcpedit/edit_packet.c +@@ -87,14 +87,21 @@ fix_ipv4_checksums(tcpedit_t *tcpedit, s + tcpedit->runtime.packetnum); + return TCPEDIT_ERROR; + } +- ret1 = do_checksum(tcpedit, (u_char*)ip_hdr, ip_hdr->ip_p, +- ip_len - (ip_hdr->ip_hl << 2)); ++ ret1 = do_checksum(tcpedit, ++ (u_char*)ip_hdr, ++ ip_hdr->ip_p, ++ ip_len - (ip_hdr->ip_hl << 2), ++ (u_char*)ip_hdr + pkthdr->caplen - l2len); + if (ret1 < 0) + return TCPEDIT_ERROR; + } + + /* calc IP checksum */ +- ret2 = do_checksum(tcpedit, (u_char *) ip_hdr, IPPROTO_IP, ip_len); ++ ret2 = do_checksum(tcpedit, ++ (u_char*)ip_hdr, ++ IPPROTO_IP, ++ ip_len, ++ (u_char*)ip_hdr + pkthdr->caplen - l2len); + if (ret2 < 0) + return TCPEDIT_ERROR; + +@@ -164,8 +171,11 @@ fix_ipv6_checksums(tcpedit_t *tcpedit, s + tcpedit->runtime.packetnum, ip6_hdr->ip_len); + return TCPEDIT_WARN; + } +- ret = do_checksum(tcpedit, (u_char *)ip6_hdr, ip6_hdr->ip_nh, +- htons(ip6_hdr->ip_len)); ++ ret = do_checksum(tcpedit, ++ (u_char*)ip6_hdr, ++ ip6_hdr->ip_nh, ++ htons(ip6_hdr->ip_len), ++ (u_char*)ip6_hdr + pkthdr->caplen - l2len); + if (ret < 0) + return TCPEDIT_ERROR; + } +@@ -265,13 +275,13 @@ static void ipv4_addr_csum_replace(ipv4_ + protocol = ip_hdr->ip_p; + switch (protocol) { + case IPPROTO_UDP: +- l4 = get_layer4_v4(ip_hdr, len); ++ l4 = get_layer4_v4(ip_hdr, (u_char *)ip_hdr + l3len); + len -= ip_hdr->ip_hl << 2; + len -= TCPR_UDP_H; + break; + + case IPPROTO_TCP: +- l4 = get_layer4_v4(ip_hdr, len); ++ l4 = get_layer4_v4(ip_hdr, (u_char *)ip_hdr + l3len); + len -= ip_hdr->ip_hl << 2; + len -= TCPR_TCP_H; + break; +@@ -293,32 +303,27 @@ static void ipv6_addr_csum_replace(ipv6_ + const int l3len) + { + uint8_t *l4, protocol; +- int len = l3len; + + assert(ip6_hdr); + +- if ((size_t)len < sizeof(*ip6_hdr)) ++ if ((size_t)l3len < sizeof(*ip6_hdr)) + return; + +- protocol = get_ipv6_l4proto(ip6_hdr, len); ++ protocol = get_ipv6_l4proto(ip6_hdr, (u_char*)ip6_hdr + l3len); + switch (protocol) { + case IPPROTO_UDP: +- l4 = get_layer4_v6(ip6_hdr, len); +- len -= sizeof(*ip6_hdr); +- len -= TCPR_UDP_H; ++ l4 = get_layer4_v6(ip6_hdr, (u_char*)ip6_hdr + l3len); + break; + + case IPPROTO_TCP: +- l4 = get_layer4_v6(ip6_hdr, len); +- len -= sizeof(*ip6_hdr); +- len -= TCPR_TCP_H; ++ l4 = get_layer4_v6(ip6_hdr, (u_char*)ip6_hdr + l3len); + break; + + default: + l4 = NULL; + } + +- if (!l4 || len < 0) ++ if (!l4) + return; + + ipv6_l34_csum_replace(l4, protocol, (uint32_t*)old_ip, (uint32_t*)new_ip); +--- tcpreplay-4.4.1.orig/src/tcpedit/fuzzing.c ++++ tcpreplay-4.4.1/src/tcpedit/fuzzing.c +@@ -123,7 +123,8 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_ + switch (l2proto) { + case (ETHERTYPE_IP): + { +- l4data = get_layer4_v4((ipv4_hdr_t*)l3data, pkthdr->caplen - l2len); ++ l4data = get_layer4_v4((ipv4_hdr_t*)l3data, ++ l3data + pkthdr->caplen - l2len); + if (!l4data) + goto done; + +@@ -131,7 +132,8 @@ fuzzing(tcpedit_t *tcpedit, struct pcap_ + break; + } + case (ETHERTYPE_IP6): { +- l4data = get_layer4_v6((ipv6_hdr_t*)l3data, pkthdr->caplen - l2len); ++ l4data = get_layer4_v6((ipv6_hdr_t*)l3data, ++ l3data + pkthdr->caplen - l2len); + if (!l4data) + goto done; + +--- tcpreplay-4.4.1.orig/src/tcpedit/portmap.c ++++ tcpreplay-4.4.1/src/tcpedit/portmap.c +@@ -370,7 +370,7 @@ rewrite_ipv4_ports(tcpedit_t *tcpedit, i + l3len); + return TCPEDIT_ERROR; + } else if ((*ip_hdr)->ip_p == IPPROTO_TCP || (*ip_hdr)->ip_p == IPPROTO_UDP) { +- l4 = get_layer4_v4(*ip_hdr, l3len); ++ l4 = get_layer4_v4(*ip_hdr, (u_char *)ip_hdr + l3len); + if (l4) + return rewrite_ports(tcpedit, (*ip_hdr)->ip_p, l4, + l3len - (l4 - (u_char*)*ip_hdr)); +@@ -394,7 +394,7 @@ rewrite_ipv6_ports(tcpedit_t *tcpedit, i + l3len); + return TCPEDIT_ERROR; + } else if ((*ip6_hdr)->ip_nh == IPPROTO_TCP || (*ip6_hdr)->ip_nh == IPPROTO_UDP) { +- l4 = get_layer4_v6(*ip6_hdr, l3len); ++ l4 = get_layer4_v6(*ip6_hdr, (u_char*)ip6_hdr + l3len); + if (l4) + return rewrite_ports(tcpedit, (*ip6_hdr)->ip_nh, l4, + l3len - (l4 - (u_char*)*ip6_hdr)); +--- tcpreplay-4.4.1.orig/src/tcpedit/rewrite_sequence.c ++++ tcpreplay-4.4.1/src/tcpedit/rewrite_sequence.c +@@ -70,7 +70,8 @@ rewrite_ipv4_tcp_sequence(tcpedit_t *tcp + assert(*ip_hdr && ip_hdr); + + if (*ip_hdr && (*ip_hdr)->ip_p == IPPROTO_TCP) { +- tcp_hdr_t *tcp_hdr = (tcp_hdr_t *)get_layer4_v4(*ip_hdr, l3len); ++ tcp_hdr_t *tcp_hdr = (tcp_hdr_t *)get_layer4_v4(*ip_hdr, ++ (u_char *)ip_hdr + l3len); + if (!tcp_hdr) { + tcpedit_setwarn(tcpedit, "caplen to small to set TCP sequence for IP packet: l3 len=%d", + l3len); +@@ -91,7 +92,8 @@ rewrite_ipv6_tcp_sequence(tcpedit_t *tcp + assert(*ip6_hdr && ip6_hdr); + + if (*ip6_hdr && (*ip6_hdr)->ip_nh == IPPROTO_TCP) { +- tcp_hdr_t *tcp_hdr = (tcp_hdr_t *)get_layer4_v6(*ip6_hdr, l3len); ++ tcp_hdr_t *tcp_hdr = (tcp_hdr_t *)get_layer4_v6(*ip6_hdr, ++ (u_char*)ip6_hdr + l3len); + if (!tcp_hdr) { + tcpedit_setwarn(tcpedit, "caplen to small to set TCP sequence for IP packet: l3 len=%d", + l3len); +--- tcpreplay-4.4.1.orig/src/tcpedit/tcpedit.c ++++ tcpreplay-4.4.1/src/tcpedit/tcpedit.c +@@ -174,7 +174,7 @@ again: + if (ip_hdr == NULL) + return TCPEDIT_SOFT_ERROR; + +- p = get_layer4_v4(ip_hdr, (*pkthdr)->caplen - l2len); ++ p = get_layer4_v4(ip_hdr, (u_char*)ip_hdr + (*pkthdr)->caplen - l2len); + if (!p) { + tcpedit_seterr(tcpedit, "Packet length %d is too short to contain a layer %d byte IP header for DLT 0x%04x", + pktlen, ip_hdr->ip_hl << 2, dst_dlt); +@@ -195,7 +195,7 @@ again: + if (ip6_hdr == NULL) + return TCPEDIT_SOFT_ERROR; + +- p = get_layer4_v6(ip6_hdr, (*pkthdr)->caplen - l2len); ++ p = get_layer4_v6(ip6_hdr, (u_char*)ip6_hdr + (*pkthdr)->caplen - l2len); + if (!p) { + tcpedit_seterr(tcpedit, "Packet length %d is too short to contain an IPv6 header for DLT 0x%04x", + pktlen, dst_dlt); +--- tcpreplay-4.4.1.orig/src/tcpprep.c ++++ tcpreplay-4.4.1/src/tcpprep.c +@@ -215,14 +215,14 @@ check_dst_port(ipv4_hdr_t *ip_hdr, ipv6_ + return 0; /* not enough data in the packet to know */ + + proto = ip_hdr->ip_p; +- l4 = get_layer4_v4(ip_hdr, len); ++ l4 = get_layer4_v4(ip_hdr, (u_char*)ip_hdr + len); + } else if (ip6_hdr) { + if (len < (TCPR_IPV6_H + 4)) + return 0; /* not enough data in the packet to know */ + +- proto = get_ipv6_l4proto(ip6_hdr, len); ++ proto = get_ipv6_l4proto(ip6_hdr, (u_char*)ip6_hdr + len); + dbgx(3, "Our layer4 proto is 0x%hhu", proto); +- if ((l4 = get_layer4_v6(ip6_hdr, len)) == NULL) ++ if ((l4 = get_layer4_v6(ip6_hdr, (u_char*)ip6_hdr + len)) == NULL) + return 0; + + dbgx(3, "Found proto %u at offset %p. base %p (%p)", proto, (void *)l4, (void *)ip6_hdr, (void*)(l4 - (u_char *)ip6_hdr)); diff -pruN 4.4.1-2/debian/patches/CVE-2022-27942.patch 4.4.1-2ubuntu1/debian/patches/CVE-2022-27942.patch --- 4.4.1-2/debian/patches/CVE-2022-27942.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/CVE-2022-27942.patch 2022-09-27 03:55:27.000000000 +0000 @@ -0,0 +1,58 @@ +From 54297efdf9c0f08c87ef8162dede9fec6c21ee89 Mon Sep 17 00:00:00 2001 +From: Fred Klassen +Date: Thu, 4 Aug 2022 18:53:14 -0700 +Subject: [PATCH] Bug #719 better overflow protection in parse_mpls + +--- + docs/CHANGELOG | 1 + + src/common/get.c | 12 +++++------- + 2 files changed, 6 insertions(+), 7 deletions(-) + +--- tcpreplay-4.4.1.orig/src/common/get.c ++++ tcpreplay-4.4.1/src/common/get.c +@@ -98,7 +98,7 @@ int parse_mpls(const u_char *pktdata, + uint32_t *l2offset) + { + struct tcpr_mpls_label *mpls_label; +- int len_remaining = (int)datalen; ++ u_char *end_ptr = pktdata + datalen; + u_char first_nibble; + eth_hdr_t *eth_hdr; + bool bos = false; +@@ -113,12 +113,11 @@ int parse_mpls(const u_char *pktdata, + + /* move over MPLS labels until we get to the last one */ + while (!bos) { +- if (len_remaining < (int)sizeof(*mpls_label)) ++ if (pktdata + len + sizeof(*mpls_label) > end_ptr) + return -1; + + mpls_label = (struct tcpr_mpls_label*)(pktdata + len); + len += sizeof(*mpls_label); +- len_remaining -= sizeof(*mpls_label); + bos = (ntohl(mpls_label->entry) & MPLS_LS_S_MASK) != 0; + label = ntohl(mpls_label->entry) >> MPLS_LS_LABEL_SHIFT; + if (label == MPLS_LABEL_GACH) { +@@ -128,7 +127,7 @@ int parse_mpls(const u_char *pktdata, + } + } + +- if (len_remaining < 4) ++ if ((u_char*)mpls_label + 1 > end_ptr) + return -1; + + first_nibble = *((u_char *)(mpls_label + 1)) >> 4; +@@ -143,11 +142,10 @@ int parse_mpls(const u_char *pktdata, + /* EoMPLS - jump over PW Ethernet Control Word and handle + * inner Ethernet header + */ +- len += 4; +- len_remaining -= 4; +- if (len_remaining < (int)sizeof(*eth_hdr)) ++ if (pktdata + len + 4 + sizeof(*eth_hdr) > end_ptr) + return -1; + ++ len += 4; + *l2offset = len; + eth_hdr = (eth_hdr_t*)(pktdata + len); + len += sizeof(*eth_hdr); diff -pruN 4.4.1-2/debian/patches/CVE-2022-28487.patch 4.4.1-2ubuntu1/debian/patches/CVE-2022-28487.patch --- 4.4.1-2/debian/patches/CVE-2022-28487.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/CVE-2022-28487.patch 2022-09-27 03:55:27.000000000 +0000 @@ -0,0 +1,20 @@ +From da398bfc3443761effcd975b1179476bf662a960 Mon Sep 17 00:00:00 2001 +From: tin-z +Date: Mon, 14 Mar 2022 23:03:46 +0100 +Subject: [PATCH] fixed format string in 'src/tcpedit/edit_packet.c' file + +--- + src/tcpedit/edit_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- tcpreplay-4.4.1.orig/src/tcpedit/edit_packet.c ++++ tcpreplay-4.4.1/src/tcpedit/edit_packet.c +@@ -168,7 +168,7 @@ fix_ipv6_checksums(tcpedit_t *tcpedit, s + int ip6_len = ipv6_header_length(ip6_hdr, pkthdr->len, l2len); + if (ip6_hdr->ip_len < ip6_len) { + tcpedit_setwarn(tcpedit, "Unable to checksum IPv6 packet with invalid: pkt=" COUNTER_SPEC " IP length=%u caplen=" COUNTER_SPEC, +- tcpedit->runtime.packetnum, ip6_hdr->ip_len); ++ tcpedit->runtime.packetnum, ip6_hdr->ip_len, pkthdr->caplen); + return TCPEDIT_WARN; + } + ret = do_checksum(tcpedit, diff -pruN 4.4.1-2/debian/patches/CVE-2022-37048.patch 4.4.1-2ubuntu1/debian/patches/CVE-2022-37048.patch --- 4.4.1-2/debian/patches/CVE-2022-37048.patch 1970-01-01 00:00:00.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/CVE-2022-37048.patch 2022-09-27 03:55:27.000000000 +0000 @@ -0,0 +1,21 @@ +From 6a840817e3a5a5674fdc1122954c445bec78fd51 Mon Sep 17 00:00:00 2001 +From: Fred Klassen +Date: Sat, 6 Aug 2022 19:33:26 -0700 +Subject: [PATCH] Bug #735 heap-overflow in get_l2len_protocol + +--- + docs/CHANGELOG | 1 + + src/common/get.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- tcpreplay-4.4.1.orig/src/common/get.c ++++ tcpreplay-4.4.1/src/common/get.c +@@ -336,7 +336,7 @@ int get_l2len_protocol(const u_char *pkt + vlan_offset)) + return -1; + +- if (datalen < l2_net_off) ++ if (datalen <= l2_net_off) + return -1; + + *l2len = l2_net_off; diff -pruN 4.4.1-2/debian/patches/series 4.4.1-2ubuntu1/debian/patches/series --- 4.4.1-2/debian/patches/series 2022-04-23 22:24:24.000000000 +0000 +++ 4.4.1-2ubuntu1/debian/patches/series 2022-09-27 03:55:27.000000000 +0000 @@ -5,3 +5,9 @@ upstream.fix-build-on-i386.patch # modifications for Debian debian.disable-tcpreplay-test.patch +CVE-2022-25484_27941.patch +CVE-2022-27939.patch +CVE-2022-27940_37047_37049.patch +CVE-2022-27942.patch +CVE-2022-28487.patch +CVE-2022-37048.patch