From f502522f4bf02375318349331e3994970b970bf2 Mon Sep 17 00:00:00 2001 From: wk333 <13474090681@163.com> Date: Tue, 11 Feb 2025 19:40:08 +0800 Subject: [PATCH] Fix CVE-2025-24970 (cherry picked from commit 2e198e50f9b22775f676cb0ca325426884fa4064) --- CVE-2025-24970.patch | 101 +++++++++++++++++++++++++++++++++++++++++++ netty.spec | 6 ++- 2 files changed, 106 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-24970.patch diff --git a/CVE-2025-24970.patch b/CVE-2025-24970.patch new file mode 100644 index 0000000..47ab2bb --- /dev/null +++ b/CVE-2025-24970.patch @@ -0,0 +1,101 @@ +From 87f40725155b2f89adfde68c7732f97c153676c4 Mon Sep 17 00:00:00 2001 +From: Norman Maurer +Date: Mon, 10 Feb 2025 16:17:04 +0100 +Subject: [PATCH] Merge commit from fork + +Motivation: + +We need to handle the situation correctly in all cases when there is not enough data yet to unwrap the packet. Not doing so might cause undefined behaviour + +Modifications: + +- Correctly check for SslUtils.NOT_ENOUGH_DATA +- Add assert + +Result: + +Correctly handle incomplete packets while unwrap +--- + .../ssl/ReferenceCountedOpenSslEngine.java | 2 ++ + .../java/io/netty/handler/ssl/SslUtils.java | 23 ++++++++++++++----- + 2 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java +index 271da51b83f7..4761a02fb4dd 100644 +--- a/handler/src/main/java/io/netty/handler/ssl/SslUtils.java ++++ b/handler/src/main/java/io/netty/handler/ssl/SslUtils.java +@@ -314,8 +314,12 @@ static SSLHandshakeException toSSLHandshakeException(Throwable e) { + * the given {@link ByteBuf} is not encrypted at all. + */ + static int getEncryptedPacketLength(ByteBuf buffer, int offset, boolean probeSSLv2) { ++ assert offset >= buffer.readerIndex(); ++ int remaining = buffer.writerIndex() - offset; ++ if (remaining < SSL_RECORD_HEADER_LENGTH) { ++ return NOT_ENOUGH_DATA; ++ } + int packetLength = 0; +- + // SSLv3 or TLS - Check ContentType + boolean tls; + switch (buffer.getUnsignedByte(offset)) { +@@ -346,7 +350,7 @@ static int getEncryptedPacketLength(ByteBuf buffer, int offset, boolean probeSSL + tls = false; + } + } else if (version == DTLS_1_0 || version == DTLS_1_2 || version == DTLS_1_3) { +- if (buffer.readableBytes() < offset + DTLS_RECORD_HEADER_LENGTH) { ++ if (remaining < DTLS_RECORD_HEADER_LENGTH) { + return NOT_ENOUGH_DATA; + } + // length is the last 2 bytes in the 13 byte header. +@@ -367,7 +371,8 @@ static int getEncryptedPacketLength(ByteBuf buffer, int offset, boolean probeSSL + packetLength = headerLength == 2 ? + (shortBE(buffer, offset) & 0x7FFF) + 2 : (shortBE(buffer, offset) & 0x3FFF) + 3; + if (packetLength <= headerLength) { +- return NOT_ENOUGH_DATA; ++ // If there's no data then consider this package as not encrypted. ++ return NOT_ENCRYPTED; + } + } else { + return NOT_ENCRYPTED; +@@ -420,7 +425,7 @@ static int getEncryptedPacketLength(ByteBuffer[] buffers, int offset) { + } + + // We need to copy 5 bytes into a temporary buffer so we can parse out the packet length easily. +- ByteBuffer tmp = ByteBuffer.allocate(5); ++ ByteBuffer tmp = ByteBuffer.allocate(SSL_RECORD_HEADER_LENGTH); + + do { + buffer = buffers[offset++].duplicate(); +@@ -428,7 +433,7 @@ static int getEncryptedPacketLength(ByteBuffer[] buffers, int offset) { + buffer.limit(buffer.position() + tmp.remaining()); + } + tmp.put(buffer); +- } while (tmp.hasRemaining()); ++ } while (tmp.hasRemaining() && offset < buffers.length); + + // Done, flip the buffer so we can read from it. + tmp.flip(); +@@ -436,8 +441,13 @@ static int getEncryptedPacketLength(ByteBuffer[] buffers, int offset) { + } + + private static int getEncryptedPacketLength(ByteBuffer buffer) { ++ int remaining = buffer.remaining(); ++ if (remaining < SSL_RECORD_HEADER_LENGTH) { ++ return NOT_ENOUGH_DATA; ++ } + int packetLength = 0; + int pos = buffer.position(); ++ + // SSLv3 or TLS - Check ContentType + boolean tls; + switch (unsignedByte(buffer.get(pos))) { +@@ -478,7 +488,8 @@ private static int getEncryptedPacketLength(ByteBuffer buffer) { + packetLength = headerLength == 2 ? + (shortBE(buffer, pos) & 0x7FFF) + 2 : (shortBE(buffer, pos) & 0x3FFF) + 3; + if (packetLength <= headerLength) { +- return NOT_ENOUGH_DATA; ++ // If there's no data then consider this package as not encrypted. ++ return NOT_ENCRYPTED; + } + } else { + return NOT_ENCRYPTED; diff --git a/netty.spec b/netty.spec index 3d1a4fc..19be976 100644 --- a/netty.spec +++ b/netty.spec @@ -2,7 +2,7 @@ Name: netty Version: 4.1.114 -Release: 1 +Release: 2 Summary: An asynchronous event-driven network application framework and tools for Java License: Apache-2.0 URL: https://netty.io/ @@ -19,6 +19,7 @@ Patch0006: 0007-Do-not-use-the-Jetbrains-annotations.patch Patch0007: no-werror.patch Patch0008: reproducible.patch Patch0009: fix-strip.patch +Patch0010: CVE-2025-24970.patch BuildRequires: autoconf automake libtool gcc BuildRequires: maven-local @@ -176,6 +177,9 @@ export CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %files help -f .mfiles-javadoc %changelog +* Tue Feb 11 2025 wangkai <13474090681@163.com> - 4.1.114-2 +- Fix CVE-2025-24970 + * Thu Nov 14 2024 yaoxin - 4.1.114-1 - Update to 4.1.114 * Validate HTTP Method (#14280) -- Gitee