diff --git a/CVE-2021-3570.patch b/CVE-2021-3570.patch deleted file mode 100644 index e868972ce8d53263989dd47b104319c5b611b793..0000000000000000000000000000000000000000 --- a/CVE-2021-3570.patch +++ /dev/null @@ -1,91 +0,0 @@ -From ce15e4de5926724557e8642ec762a210632f15ca Mon Sep 17 00:00:00 2001 -From: Richard Cochran -Date: Sat, 17 Apr 2021 15:15:18 -0700 -Subject: [PATCH] Validate the messageLength field of incoming messages. - -The PTP messageLength field is redundant because the length of a PTP -message is precisely determined by the message type and the appended -TLVs. The current implementation validates the sizes of both the main -message (according to the fixed header length and fixed length by -type) and the TLVs (by using the 'L' of the TLV). - -However, when forwarding a message, the messageLength field is used. -If a message arrives with a messageLength field larger than the actual -message size, the code will read and possibly write data beyond the -allocated buffer. - -Fix the issue by validating the field on ingress. This prevents -reading and sending data past the message buffer when forwarding a -management message or other messages when operating as a transparent -clock, and it also prevents a memory corruption in msg_post_recv() -after forwarding a management message. - -Reported-by: Miroslav Lichvar -Signed-off-by: Richard Cochran ---- - msg.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/msg.c b/msg.c -index d1619d49..5ae8ebbf 100644 ---- a/msg.c -+++ b/msg.c -@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) - { - uint8_t *ptr = msg_suffix(msg); - struct tlv_extra *extra; -- int err; -+ int err, suffix_len = 0; - - if (!ptr) - return 0; -@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len) - tlv_extra_recycle(extra); - return -EBADMSG; - } -+ suffix_len += sizeof(struct TLV); - len -= sizeof(struct TLV); - ptr += sizeof(struct TLV); - if (extra->tlv->length > len) { - tlv_extra_recycle(extra); - return -EBADMSG; - } -+ suffix_len += extra->tlv->length; - len -= extra->tlv->length; - ptr += extra->tlv->length; - err = tlv_post_recv(extra); -@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len) - } - msg_tlv_attach(msg, extra); - } -- return 0; -+ return suffix_len; - } - - static void suffix_pre_send(struct ptp_message *msg) -@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m) - - int msg_post_recv(struct ptp_message *m, int cnt) - { -- int pdulen, type, err; -+ int err, pdulen, suffix_len, type; - - if (cnt < sizeof(struct ptp_header)) - return -EBADMSG; -@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt) - break; - } - -- err = suffix_post_recv(m, cnt - pdulen); -- if (err) -- return err; -+ suffix_len = suffix_post_recv(m, cnt - pdulen); -+ if (suffix_len < 0) { -+ return suffix_len; -+ } -+ if (pdulen + suffix_len != m->header.messageLength) { -+ return -EBADMSG; -+ } - - return 0; - } diff --git a/CVE-2021-3571.patch b/CVE-2021-3571.patch deleted file mode 100644 index 57525147c5e0d05c229d1f9c90391e2a8e11ccb2..0000000000000000000000000000000000000000 --- a/CVE-2021-3571.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d61d77e163dbee247819f3d88593ba111577af15 Mon Sep 17 00:00:00 2001 -From: Miroslav Lichvar -Date: Fri, 26 Mar 2021 09:57:43 +0100 -Subject: [PATCH] tc: Fix length of follow-up message of one-step sync. - -Convert the length of the generated follow-up message to network order. -This fixes reading and sending of data past the message buffer. - -Signed-off-by: Miroslav Lichvar ---- - tc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tc.c b/tc.c -index d9e4853..2e3830c 100644 ---- a/tc.c -+++ b/tc.c -@@ -452,7 +452,7 @@ int tc_fwd_sync(struct port *q, struct ptp_message *msg) - } - fup->header.tsmt = FOLLOW_UP | (msg->header.tsmt & 0xf0); - fup->header.ver = msg->header.ver; -- fup->header.messageLength = sizeof(struct follow_up_msg); -+ fup->header.messageLength = htons(sizeof(struct follow_up_msg)); - fup->header.domainNumber = msg->header.domainNumber; - fup->header.sourcePortIdentity = msg->header.sourcePortIdentity; - fup->header.sequenceId = msg->header.sequenceId; diff --git a/linuxptp-2.0.tgz b/linuxptp-2.0.tgz deleted file mode 100644 index a42e8c1fc42203710f5cdd8da2493d19d02ad626..0000000000000000000000000000000000000000 Binary files a/linuxptp-2.0.tgz and /dev/null differ diff --git a/linuxptp-3.1.1.tgz b/linuxptp-3.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c60ac19df2392923354d01eb050ea69dbccd5992 Binary files /dev/null and b/linuxptp-3.1.1.tgz differ diff --git a/linuxptp.spec b/linuxptp.spec index ceee79aa991e8bae0e42d614b80f5c6dd0224ad8..8e435d27c3307d9f26c057247002682bccb259d5 100644 --- a/linuxptp.spec +++ b/linuxptp.spec @@ -1,6 +1,6 @@ Name: linuxptp -Version: 2.0 -Release: 5 +Version: 3.1.1 +Release: 1 Summary: Linuxptp is an implementation of the Precision Time Protocol (PTP) Group: System Environment/Base License: GPLv2+ @@ -9,9 +9,6 @@ Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tgz Source1: phc2sys.service Source2: ptp4l.service -patch0000: CVE-2021-3571.patch -Patch0001: CVE-2021-3570.patch - BuildRequires: gcc gcc-c++ systemd git net-tools @@ -75,12 +72,17 @@ echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys %{_sbindir}/pmc %{_sbindir}/ptp4l %{_sbindir}/timemaster +%{_sbindir}/ts2phc %files help %{_mandir}/man8/*.8* %changelog +* Wed Jun 15 2022 YukariChiba - 3.1.1-1 +- Upgrade version to 3.1.1 +- Merged two patches + * Wed Sep 22 2021 yaoxin - 2.0-5 - Fix CVE-2021-3570