[Bugfix][T106][task-view-1936] Fix the R155 security issue
Only Configure:No
Affected branch:master/SIHA_SDK5.1_BASE
Affected module:unknow
Is it affected on both ZXIC and MTK:only ZXIC
Self-test:Yes
Doc Update:no
Change-Id: I30d465850302b3120d78136e369e9b873211631e
diff --git a/ap/libc/glibc/glibc-2.23/resolv/nss_dns/dns-network.c b/ap/libc/glibc/glibc-2.23/resolv/nss_dns/dns-network.c
old mode 100644
new mode 100755
index 2eb2f67..3942c70
--- a/ap/libc/glibc/glibc-2.23/resolv/nss_dns/dns-network.c
+++ b/ap/libc/glibc/glibc-2.23/resolv/nss_dns/dns-network.c
@@ -118,17 +118,15 @@
} net_buffer;
querybuf *orig_net_buffer;
int anslen;
- char *qbuf;
enum nss_status status;
if (__res_maybe_init (&_res, 0) == -1)
return NSS_STATUS_UNAVAIL;
- qbuf = strdupa (name);
net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, // CVE-2016-3075
1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
if (anslen < 0)
{
diff --git a/ap/libc/glibc/glibc-2.23/resolv/res_init.c b/ap/libc/glibc/glibc-2.23/resolv/res_init.c
old mode 100644
new mode 100755
index e0b6a80..88bfed1
--- a/ap/libc/glibc/glibc-2.23/resolv/res_init.c
+++ b/ap/libc/glibc/glibc-2.23/resolv/res_init.c
@@ -594,7 +594,7 @@
statp->_vcsock = -1;
statp->_flags &= ~(RES_F_VC | RES_F_CONN);
}
- for (ns = 0; ns < statp->_u._ext.nscount; ns++)
+ for (ns = 0; ns < statp->nscount; ns++) // CVE-2016-5417
if (statp->_u._ext.nsaddrs[ns]) {
if (statp->_u._ext.nssocks[ns] != -1) {
close_not_cancel_no_status(statp->_u._ext.nssocks[ns]);
diff --git a/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c b/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c
index 3971fd0..4c9140f 100755
--- a/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c
+++ b/ap/os/linux/linux-3.4.x/net/wireless/nl80211.c
@@ -153,6 +153,7 @@
[NL80211_ATTR_CONTROL_PORT_ETHERTYPE] = { .type = NLA_U16 },
[NL80211_ATTR_CONTROL_PORT_NO_ENCRYPT] = { .type = NLA_FLAG },
[NL80211_ATTR_PRIVACY] = { .type = NLA_FLAG },
+ [NL80211_ATTR_STATUS_CODE] = { .type = NLA_U16 }, // CVE-2020-27068
[NL80211_ATTR_CIPHER_SUITE_GROUP] = { .type = NLA_U32 },
[NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 },
[NL80211_ATTR_PID] = { .type = NLA_U32 },
diff --git a/cap/zx297520v3/zxic_code/zxic_source/linux-5.10/net/ipv6/netfilter/nf_reject_ipv6.c b/cap/zx297520v3/zxic_code/zxic_source/linux-5.10/net/ipv6/netfilter/nf_reject_ipv6.c
old mode 100644
new mode 100755
index bf95513..98d4da1
--- a/cap/zx297520v3/zxic_code/zxic_source/linux-5.10/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/cap/zx297520v3/zxic_code/zxic_source/linux-5.10/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -89,33 +89,24 @@
const struct tcphdr *oth, unsigned int otcplen)
{
struct tcphdr *tcph;
- int needs_ack;
skb_reset_transport_header(nskb);
- tcph = skb_put(nskb, sizeof(struct tcphdr));
+ tcph = skb_put_zero(nskb, sizeof(struct tcphdr)); // CVE-2024-47685
/* Truncate to length (no data) */
tcph->doff = sizeof(struct tcphdr)/4;
tcph->source = oth->dest;
tcph->dest = oth->source;
if (oth->ack) {
- needs_ack = 0;
tcph->seq = oth->ack_seq;
- tcph->ack_seq = 0;
} else {
- needs_ack = 1;
tcph->ack_seq = htonl(ntohl(oth->seq) + oth->syn + oth->fin +
otcplen - (oth->doff<<2));
- tcph->seq = 0;
+ tcph->ack = 1; // CVE-2024-47685
}
- /* Reset flags */
- ((u_int8_t *)tcph)[13] = 0;
+
tcph->rst = 1;
- tcph->ack = needs_ack;
- tcph->window = 0;
- tcph->urg_ptr = 0;
- tcph->check = 0;
/* Adjust TCP checksum */
tcph->check = csum_ipv6_magic(&ipv6_hdr(nskb)->saddr,