From 627fb2c1eac92036badd41c7af48d71e5d1ed910 Mon Sep 17 00:00:00 2001
From: xinghe <xinghe2@h-partners.com>
Date: Sat, 20 Apr 2024 02:21:43 +0000
Subject: [PATCH] revert "fix CVE-2024-2397"

(cherry picked from commit 727434ac5d97b36585896159aeb0158bffaae991)
---
 backport-0001-CVE-2024-2397.patch |  51 ------------
 backport-0002-CVE-2024-2397.patch | 125 ------------------------------
 tcpdump.spec                      |  10 ++-
 3 files changed, 7 insertions(+), 179 deletions(-)
 delete mode 100644 backport-0001-CVE-2024-2397.patch
 delete mode 100644 backport-0002-CVE-2024-2397.patch

diff --git a/backport-0001-CVE-2024-2397.patch b/backport-0001-CVE-2024-2397.patch
deleted file mode 100644
index f855ecc..0000000
--- a/backport-0001-CVE-2024-2397.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From 68f6ee780dd1d63f66ec576b52c5e177e89d1f55 Mon Sep 17 00:00:00 2001
-From: Francois-Xavier Le Bail <devel.fx.lebail@orange.fr>
-Date: Mon, 7 Mar 2022 15:09:43 +0100
-Subject: [PATCH] PPP: Change the pointer to packet data
-
-Thus it can be used for debugging.
-
-Conflict: NA
-Reference: https://github.com/the-tcpdump-group/tcpdump/commit/68f6ee780dd1d63f66ec576b52c5e177e89d1f55
----
- print-ppp.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/print-ppp.c b/print-ppp.c
-index baeb4f004..764944109 100644
---- a/print-ppp.c
-+++ b/print-ppp.c
-@@ -1363,7 +1363,7 @@ ppp_hdlc(netdissect_options *ndo,
- 	u_char *b, *t, c;
- 	const u_char *s;
- 	u_int i, proto;
--	const void *se;
-+	const void *sb, *se;
- 
- 	if (caplen == 0)
- 		return;
-@@ -1395,8 +1395,11 @@ ppp_hdlc(netdissect_options *ndo,
- 
- 	/*
- 	 * Change the end pointer, so bounds checks work.
-+	 * Change the pointer to packet data to help debugging.
- 	 */
-+	sb = ndo->ndo_packetp;
- 	se = ndo->ndo_snapend;
-+	ndo->ndo_packetp = b;
- 	ndo->ndo_snapend = t;
- 	length = ND_BYTES_AVAILABLE_AFTER(b);
- 
-@@ -1433,10 +1436,12 @@ ppp_hdlc(netdissect_options *ndo,
-         }
- 
- cleanup:
-+	ndo->ndo_packetp = sb;
- 	ndo->ndo_snapend = se;
-         return;
- 
- trunc:
-+	ndo->ndo_packetp = sb;
- 	ndo->ndo_snapend = se;
- 	nd_print_trunc(ndo);
- }
diff --git a/backport-0002-CVE-2024-2397.patch b/backport-0002-CVE-2024-2397.patch
deleted file mode 100644
index 3478eda..0000000
--- a/backport-0002-CVE-2024-2397.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2 Mon Sep 17 00:00:00 2001
-From: Guy Harris <gharris@sonic.net>
-Date: Tue, 12 Mar 2024 00:37:23 -0700
-Subject: [PATCH] ppp: use the buffer stack for the de-escaping buffer.
-
-This both saves the buffer for freeing later and saves the packet
-pointer and snapend to be restored when packet processing is complete,
-even if an exception is thrown with longjmp.
-
-This means that the hex/ASCII printing in pretty_print_packet()
-processes the packet data as captured or read from the savefile, rather
-than as modified by the PPP printer, so that the bounds checking is
-correct.
-
-That fixes CVE-2024-2397, which was caused by an exception being thrown
-by the hex/ASCII printer (which should only happen if those routines are
-called by a packet printer, not if they're called for the -X/-x/-A
-flag), which jumps back to the setjmp() that surrounds the packet
-printer.  Hilarity^Winfinite looping ensues.
-
-Also, restore ndo->ndo_packetp before calling the hex/ASCII printing
-routine, in case nd_pop_all_packet_info() didn't restore it.
-
-Conflict: context adapt
-Reference: https://github.com/the-tcpdump-group/tcpdump/commit/b9811ef5bb1b7d45a90e042f81f3aaf233c8bcb2
----
- print-ppp.c | 31 +++++++++++++++++--------------
- print.c     |  8 ++++++--
- 2 files changed, 23 insertions(+), 16 deletions(-)
-
-diff --git a/print-ppp.c b/print-ppp.c
-index 2cf06c363..9aed23eb9 100644
---- a/print-ppp.c
-+++ b/print-ppp.c
-@@ -37,6 +37,8 @@
- #include <net/if_ppp.h>
- #endif
- 
-+#include <stdlib.h>
-+
- #include "netdissect.h"
- #include "extract.h"
- #include "addrtoname.h"
-@@ -1358,7 +1360,6 @@ ppp_hdlc(netdissect_options *ndo,
- 	u_char *b, *t, c;
- 	const u_char *s;
- 	u_int i, proto;
--	const void *sb, *se;
- 
- 	if (caplen == 0)
- 		return;
-@@ -1366,9 +1367,11 @@ ppp_hdlc(netdissect_options *ndo,
-         if (length == 0)
-                 return;
- 
--	b = (u_char *)nd_malloc(ndo, caplen);
--	if (b == NULL)
--		return;
-+	b = (u_char *)malloc(caplen);
-+	if (b == NULL) {
-+		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
-+			"%s: malloc", __func__);
-+	}
- 
- 	/*
- 	 * Unescape all the data into a temporary, private, buffer.
-@@ -1389,13 +1392,15 @@ ppp_hdlc(netdissect_options *ndo,
- 	}
- 
- 	/*
--	 * Change the end pointer, so bounds checks work.
--	 * Change the pointer to packet data to help debugging.
-+	 * Switch to the output buffer for dissection, and save it
-+	 * on the buffer stack so it can be freed; our caller must
-+	 * pop it when done.
- 	 */
--	sb = ndo->ndo_packetp;
--	se = ndo->ndo_snapend;
--	ndo->ndo_packetp = b;
--	ndo->ndo_snapend = t;
-+	if (!nd_push_buffer(ndo, b, b, t)) {
-+		free(b);
-+		(*ndo->ndo_error)(ndo, S_ERR_ND_MEM_ALLOC,
-+			"%s: can't push buffer on buffer stack", __func__);
-+	}
- 	length = ND_BYTES_AVAILABLE_AFTER(b);
- 
-         /* now lets guess about the payload codepoint format */
-@@ -1437,13 +1442,11 @@ ppp_hdlc(netdissect_options *ndo,
-         }
- 
- cleanup:
--	ndo->ndo_packetp = sb;
--	ndo->ndo_snapend = se;
-+	nd_pop_packet_info(ndo);
-         return;
- 
- trunc:
--	ndo->ndo_packetp = sb;
--	ndo->ndo_snapend = se;
-+	nd_pop_packet_info(ndo);
- 	nd_print_trunc(ndo);
- }
- 
-diff --git a/print.c b/print.c
-index b9ba5997d..f20633388 100644
---- a/print.c
-+++ b/print.c
-@@ -431,10 +431,14 @@ pretty_print_packet(netdissect_options *ndo, const struct pcap_pkthdr *h,
- 	nd_pop_all_packet_info(ndo);
- 
- 	/*
--	 * Restore the original snapend, as a printer might have
--	 * changed it.
-+	 * Restore the originals snapend and packetp, as a printer
-+	 * might have changed them.
-+	 *
-+	 * XXX - nd_pop_all_packet_info() should have restored the
-+	 * original values, but, just in case....
- 	 */
- 	ndo->ndo_snapend = sp + h->caplen;
-+	ndo->ndo_packetp = sp;
- 	if (ndo->ndo_Xflag) {
- 		/*
- 		 * Print the raw packet data in hex and ASCII.
diff --git a/tcpdump.spec b/tcpdump.spec
index b6e64b5..ea3832b 100644
--- a/tcpdump.spec
+++ b/tcpdump.spec
@@ -1,7 +1,7 @@
 Name:           tcpdump
 Epoch:          14
 Version:        4.99.1
-Release:        8
+Release:        9
 Summary:        A network traffic monitoring tool
 License:        BSD with advertising
 URL:            http://www.tcpdump.org
@@ -18,8 +18,6 @@ Patch4:         backport-Set-SA_RESTART-non-lethal-signals-avoid-corrupting-bina
 Patch5:         tcpdump-Add-sw64-architecture.patch
 Patch6:         backport-CVE-2023-1801-pre-smbutil-Replace-obsolete-function-call-asctime.patch
 Patch7:         backport-CVE-2023-1801.patch
-Patch8:         backport-0001-CVE-2024-2397.patch
-Patch9:         backport-0002-CVE-2024-2397.patch
 
 
 Requires(pre):  shadow-utils
@@ -94,6 +92,12 @@ make check
 %{_mandir}/man8/tcpdump.8*
 
 %changelog
+* Sat Apr 20 2024 xinghe <xinghe2@h-partners.com> - 14:4.99.1-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:revert "fix CVE-2024-2397"
+
 * Thu Apr 11 2024 xinghe <xinghe2@h-partners.com> - 14:4.99.1-8
 - Type:CVE
 - CVE:CVE-2024-2397
-- 
Gitee