fix CVE-2021-3570

(cherry picked from commit b97b875c15cf4ab6bcb79e3d7a9ac76fdb433f91)

CVE-2021-3570.patch

@@ -0,0 +1,91 @@
+From ce15e4de5926724557e8642ec762a210632f15ca Mon Sep 17 00:00:00 2001
+From: Richard Cochran <richardcochran@gmail.com>
+Date: Sat, 17 Apr 2021 15:15:18 -0700
+Subject: [PATCH] Validate the messageLength field of incoming messages.
+
+The PTP messageLength field is redundant because the length of a PTP
+message is precisely determined by the message type and the appended
+TLVs.  The current implementation validates the sizes of both the main
+message (according to the fixed header length and fixed length by
+type) and the TLVs (by using the 'L' of the TLV).
+
+However, when forwarding a message, the messageLength field is used.
+If a message arrives with a messageLength field larger than the actual
+message size, the code will read and possibly write data beyond the
+allocated buffer.
+
+Fix the issue by validating the field on ingress.  This prevents
+reading and sending data past the message buffer when forwarding a
+management message or other messages when operating as a transparent
+clock, and it also prevents a memory corruption in msg_post_recv()
+after forwarding a management message.
+
+Reported-by: Miroslav Lichvar <mlichvar@redhat.com>
+Signed-off-by: Richard Cochran <richardcochran@gmail.com>
+---
+ msg.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/msg.c b/msg.c
+index d1619d49..5ae8ebbf 100644
+--- a/msg.c
++++ b/msg.c
+@@ -186,7 +186,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
+ {
+ 	uint8_t *ptr = msg_suffix(msg);
+ 	struct tlv_extra *extra;
+-	int err;
++	int err, suffix_len = 0;
+ 
+ 	if (!ptr)
+ 		return 0;
+@@ -204,12 +204,14 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
+ 			tlv_extra_recycle(extra);
+ 			return -EBADMSG;
+ 		}
++		suffix_len += sizeof(struct TLV);
+ 		len -= sizeof(struct TLV);
+ 		ptr += sizeof(struct TLV);
+ 		if (extra->tlv->length > len) {
+ 			tlv_extra_recycle(extra);
+ 			return -EBADMSG;
+ 		}
++		suffix_len += extra->tlv->length;
+ 		len -= extra->tlv->length;
+ 		ptr += extra->tlv->length;
+ 		err = tlv_post_recv(extra);
+@@ -219,7 +221,7 @@ static int suffix_post_recv(struct ptp_message *msg, int len)
+ 		}
+ 		msg_tlv_attach(msg, extra);
+ 	}
+-	return 0;
++	return suffix_len;
+ }
+ 
+ static void suffix_pre_send(struct ptp_message *msg)
+@@ -337,7 +339,7 @@ void msg_get(struct ptp_message *m)
+ 
+ int msg_post_recv(struct ptp_message *m, int cnt)
+ {
+-	int pdulen, type, err;
++	int err, pdulen, suffix_len, type;
+ 
+ 	if (cnt < sizeof(struct ptp_header))
+ 		return -EBADMSG;
+@@ -422,9 +424,13 @@ int msg_post_recv(struct ptp_message *m, int cnt)
+ 		break;
+ 	}
+ 
+-	err = suffix_post_recv(m, cnt - pdulen);
+-	if (err)
+-		return err;
++	suffix_len = suffix_post_recv(m, cnt - pdulen);
++	if (suffix_len < 0) {
++		return suffix_len;
++	}
++	if (pdulen + suffix_len != m->header.messageLength) {
++		return -EBADMSG;
++	}
+ 
+ 	return 0;
+ }

linuxptp.spec

@@ -1,6 +1,6 @@
 Name:		linuxptp
 Version:	2.0
-Release:        4
+Release:        5
 Summary:	Linuxptp is an implementation of the Precision Time Protocol (PTP)
 Group:		System Environment/Base
 License:	GPLv2+
@@ -10,6 +10,7 @@ Source1:	phc2sys.service
 Source2:	ptp4l.service
 
 patch0000: CVE-2021-3571.patch
+Patch0001: CVE-2021-3570.patch
 
 BuildRequires:	gcc gcc-c++ systemd git net-tools
 
@@ -80,6 +81,9 @@ echo 'OPTIONS="-a -r"' > %{buildroot}%{_sysconfdir}/sysconfig/phc2sys
 %{_mandir}/man8/*.8*
 
 %changelog
+* Wed Sep 22 2021 yaoxin <yaoxin30@huawei.com> - 2.0-5
+- Fix CVE-2021-3570
+
 * Wed Jul 14 2021 houyingchao <houyingchao@huawei.com> - 2.0-4
 - fix CVE-2021-3571