Fix vuln OSV-2024-947

[oss-patch]

[Warning] This PR is generated by AI

1. PR Title: Fix for Heap-Buffer-Overflow Vulnerability in PcapPlusPlus - OSV-2024-947

2. PR Description:

   • Bug Type: Heap-Buffer-Overflow
   • Summary: A heap-buffer-overflow vulnerability was discovered in PcapPlusPlus. The issue arises in the function pcpp::SomeIpSdLayer::getEntries() when attempting to create new SomeIpSdEntry objects without properly checking if sufficient memory is available in the buffer. This leads to access beyond the allocated memory, causing a heap-buffer-overflow.
   • Fix Summary: The patch introduces a bounds check in the getEntries function to ensure the remaining buffer length is adequate before creating a new SomeIpSdEntry object. If the length is insufficient, the loop terminates, preventing out-of-bounds access. This fix enhances the program's security and stability by preventing invalid memory access.

3. Sanitizer Report Summary: The AddressSanitizer report identified a heap-buffer-overflow when the program attempted to access 1 byte beyond a 66-byte allocated buffer. The issue occurs in pcpp::SomeIpSdEntry::SomeIpSdEntry and is triggered via the pcpp::SomeIpSdLayer::getEntries() function. The root cause is the lack of a bounds check before creating a new SomeIpSdEntry object.

4. Full Sanitizer Report:

   ==19259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5070000000d4 at pc 0x563b691eb8e4 bp 0x7ffc2be6b2a0 sp 0x7ffc2be6b298
   READ of size 1 at 0x5070000000d4 thread T0
       #0 0x563b691eb8e3 in pcpp::SomeIpSdEntry::SomeIpSdEntry(pcpp::SomeIpSdLayer const*, unsigned long) /root/Packet++/src/SomeIpSdLayer.cpp:243:62
       #1 0x563b691ecf17 in pcpp::SomeIpSdLayer::getEntries() const /root/Packet++/src/SomeIpSdLayer.cpp:501:16
       #2 0x563b6911ab41 in readParsedPacket(pcpp::Packet, pcpp::Layer*) /root/Tests/Fuzzers/ReadParsedPacket.h:66:32
       #3 0x563b69118e82 in LLVMFuzzerTestOneInput /root/Tests/Fuzzers/FuzzTarget.cpp:66:5
       #4 0x563b690236d4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/FuzzTarget+0xd66d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #5 0x563b6900c806 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/FuzzTarget+0xbf806) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #6 0x563b690122ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/FuzzTarget+0xc52ba) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #7 0x563b6903ca76 in main (/root/out/FuzzTarget+0xefa76) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #8 0x7f56d55321c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #9 0x7f56d553228a in __libc_start_main csu/../csu/libc-start.c:360:3
       #10 0x563b690073d4 in _start (/root/out/FuzzTarget+0xba3d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
   
   0x5070000000d4 is located 2 bytes after 66-byte region [0x507000000090,0x5070000000d2)
   allocated by thread T0 here:
       #0 0x563b69115f21 in operator new[](unsigned long) (/root/out/FuzzTarget+0x1c8f21) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #1 0x563b691338c6 in pcpp::PcapFileReaderDevice::getNextPacket(pcpp::RawPacket&) /root/Pcap++/src/PcapFileDevice.cpp:338:28
       #2 0x563b69130e3f in pcpp::IFileReaderDevice::getNextPackets(pcpp::PointerVector<pcpp::RawPacket>&, int) /root/Pcap++/src/PcapFileDevice.cpp:117:22
       #3 0x563b69118bf4 in LLVMFuzzerTestOneInput /root/Tests/Fuzzers/FuzzTarget.cpp:46:14
       #4 0x563b690236d4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/FuzzTarget+0xd66d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #5 0x563b6900c806 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/FuzzTarget+0xbf806) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #6 0x563b690122ba in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/FuzzTarget+0xc52ba) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #7 0x563b6903ca76 in main (/root/out/FuzzTarget+0xefa76) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
       #8 0x7f56d55321c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #9 0x7f56d553228a in __libc_start_main csu/../csu/libc-start.c:360:3
       #10 0x563b690073d4 in _start (/root/out/FuzzTarget+0xba3d4) (BuildId: 93000ff544a57109e8c9d0f05ff03fc3e9715e92)
   
   SUMMARY: AddressSanitizer
   

5. Files Modified:

   • Packet++/src/SomeIpSdLayer.cpp

   --- a/Packet++/src/SomeIpSdLayer.cpp
   +++ b/Packet++/src/SomeIpSdLayer.cpp
   @@ -499,6 +499,10 @@
    
   		while (remainingLen > 0)
   		{
   +            // Ensure there is enough remaining length for a new entry
   +            if (remainingLen < sizeof(SomeIpSdEntry::someipsdhdrentry)) {
   +                break;
   +            }
   			entry = new SomeIpSdEntry(this, offset);
    
   			size_t entryLen = entry->getLength();

6. Patch Validation: The patch has been validated using the provided PoC, and the heap-buffer-overflow vulnerability has been resolved. No new issues have been introduced.

7. Links:

   • Original Vulnerability Report
   • PoC

[codecov]

Codecov Report

Attention: Patch coverage is 50.00000% with 1 line in your changes missing coverage. Please review.

Project coverage is 83.15%. Comparing base (5db5cad) to head (6dadc4a).

Files with missing lines	Patch %	Lines
Packet++/src/SomeIpSdLayer.cpp	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##              dev    #1699      +/-   ##
==========================================
- Coverage   83.16%   83.15%   -0.01%     
==========================================
  Files         279      279              
  Lines       48536    48538       +2     
  Branches    10507    10508       +1     
==========================================
- Hits        40363    40361       -2     
- Misses       7046     7047       +1     
- Partials     1127     1130       +3     

Flag	Coverage Δ
alpine320	75.12% <0.00%> (-0.01%)	⬇️
fedora40	75.17% <0.00%> (+0.02%)	⬆️
macos-13	80.65% <0.00%> (-0.01%)	⬇️
macos-14	80.65% <0.00%> (-0.01%)	⬇️
macos-15	80.63% <0.00%> (-0.01%)	⬇️
mingw32	70.83% <0.00%> (-0.05%)	⬇️
mingw64	70.79% <0.00%> (-0.05%)	⬇️
npcap	85.18% <50.00%> (-0.09%)	⬇️
rhel94	75.00% <0.00%> (-0.01%)	⬇️
ubuntu2004	58.56% <0.00%> (-0.04%)	⬇️
ubuntu2004-zstd	58.68% <0.00%> (-0.03%)	⬇️
ubuntu2204	74.91% <0.00%> (-0.04%)	⬇️
ubuntu2204-icpx	61.35% <0.00%> (-0.01%)	⬇️
ubuntu2404	75.16% <0.00%> (-0.05%)	⬇️
unittest	83.15% <50.00%> (-0.01%)	⬇️
windows-2019	85.27% <50.00%> (-0.03%)	⬇️
windows-2022	85.30% <50.00%> (-0.02%)	⬇️
winpcap	85.27% <50.00%> (-0.01%)	⬇️
xdp	50.52% <0.00%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tigercosmos]

@aled-ua could you check why the CI failed?

[oss-patch]

emmm, I'm not sure. Looks like the download failed?

Chocolatey v2.4.1
Installing the following packages:
OpenCppCoverage
By installing, you accept licenses for the packages.
Downloading package from source 'https://community.chocolatey.org/api/v2/'
[NuGet] Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
[NuGet] Response status code does not indicate success: 503 (Service Unavailable: Back-end server is at capacity).
[NuGet] Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
[NuGet] Response status code does not indicate success: 503 (Service Unavailable: Back-end server is at capacity).
opencppcoverage not installed. An error occurred during installation:
 Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.
opencppcoverage package files install failed with exit code 1. Performing other installation steps.
The install of opencppcoverage was NOT successful.
opencppcoverage not installed. An error occurred during installation:
 Error downloading 'opencppcoverage.0.9.9' from 'https://community.chocolatey.org/api/v2/package/opencppcoverage/0.9.9.0'.

Chocolatey installed 0/1 packages. 1 packages failed.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

[seladb]

Can't we do:

while (remainingLen > sizeof(SomeIpSdEntry::someipsdhdrentry))
{
	entry = new SomeIpSdEntry(this, offset);
	...
}