CVE-2024-37151

commit 9d5c4273cb7e5ca65f195f7361f0d848c85180e0
Author: Victor Julien <vjulien@oisf.net>
Date:   Tue Jun 4 14:43:22 2024 +0200

    defrag: don't use completed tracker

    When a Tracker is set up for a IPID, frags come in for it and it's
    reassembled and complete, the `DefragTracker::remove` flag is set. This
    is mean to tell the hash cleanup code to recyle the tracker and to let
    the lookup code skip the tracker during lookup.

    A logic error lead to the following scenario:

    1. there are sufficient frag trackers to make sure the hash table is
       filled with trackers
    2. frags for a Packet with IPID X are processed correctly (X1)
    3. frags for a new Packet that also has IPID X come in quickly after the
       first (X2).
    4. during the lookup, the frag for X2 hashes to a hash row that holds
       more than one tracker
    5. as the trackers in hash row are evaluated, it finds the tracker for
       X1, but since the `remove` bit is not checked, it is returned as the
       tracker for X2.
    6. reassembly fails, as the tracker is already complete

    The logic error is that only for the first tracker in a row the `remove`
    bit was checked, leading to reuse to a closed tracker if there were more
    trackers in the hash row.

    Ticket: #7042.

Gbp-Pq: Name CVE-2024-37151.patch

diff --git a/src/defrag-hash.c b/src/defrag-hash.c
index 317a0122d0c5a5b5e30937a64d47241722d31e1c..bb3cd4b2d0ecb872c931a208d68b8f7ddd603355 100644 (file)
--- a/src/defrag-hash.c
+++ b/src/defrag-hash.c
@@ -582,7 +582,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p)
                 return dt;
             }
 
-            if (DefragTrackerCompare(dt, p) != 0) {
+            if (!dt->remove && DefragTrackerCompare(dt, p) != 0) {
                 /* we found our tracker, lets put it on top of the
                  * hash list -- this rewards active trackers */
                 if (dt->hnext) {