From 9fe7e9f288be70c24265b38126b0c8e4cf8d743f Mon Sep 17 00:00:00 2001 From: Pierre Chifflier Date: Sun, 30 Mar 2025 12:03:02 +0200 Subject: [PATCH] CVE-2024-37151 commit 9d5c4273cb7e5ca65f195f7361f0d848c85180e0 Author: Victor Julien Date: Tue Jun 4 14:43:22 2024 +0200 defrag: don't use completed tracker When a Tracker is set up for a IPID, frags come in for it and it's reassembled and complete, the `DefragTracker::remove` flag is set. This is mean to tell the hash cleanup code to recyle the tracker and to let the lookup code skip the tracker during lookup. A logic error lead to the following scenario: 1. there are sufficient frag trackers to make sure the hash table is filled with trackers 2. frags for a Packet with IPID X are processed correctly (X1) 3. frags for a new Packet that also has IPID X come in quickly after the first (X2). 4. during the lookup, the frag for X2 hashes to a hash row that holds more than one tracker 5. as the trackers in hash row are evaluated, it finds the tracker for X1, but since the `remove` bit is not checked, it is returned as the tracker for X2. 6. reassembly fails, as the tracker is already complete The logic error is that only for the first tracker in a row the `remove` bit was checked, leading to reuse to a closed tracker if there were more trackers in the hash row. Ticket: #7042. Gbp-Pq: Name CVE-2024-37151.patch --- src/defrag-hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/defrag-hash.c b/src/defrag-hash.c index 317a0122..bb3cd4b2 100644 --- a/src/defrag-hash.c +++ b/src/defrag-hash.c @@ -582,7 +582,7 @@ DefragTracker *DefragGetTrackerFromHash (Packet *p) return dt; } - if (DefragTrackerCompare(dt, p) != 0) { + if (!dt->remove && DefragTrackerCompare(dt, p) != 0) { /* we found our tracker, lets put it on top of the * hash list -- this rewards active trackers */ if (dt->hnext) { -- 2.30.2